Cisco is warning organizations with remote users that have deployed a particular Cisco wireless firewall, VPN and router to patch a critical vulnerability in each that could let attackers break into the network.
The vulnerability, which has an impact rating of 9.8 out of 10 on the Common Vulnerability Scoring System lets a potential attacker send malicious HTTP requests to a targeted device. A successful exploit could let the attacker execute arbitrary code on the underlying operating system of the affected device as a high-privilege user, Cisco stated.
The vulnerability is in the web-based management interface of three products: Cisco’s RV110W Wireless-N VPN Firewall, RV130W Wireless-N Multifunction VPN Router and RV215W Wireless-N VPN Router. All three products are positioned as remote-access communications and security devices.
The web-based management interface of these devices is available through a local LAN connection or the remote-management feature and by default, the remote management feature is disabled for these devices, Cisco said in its Security Advisory.
It said administrators can determine whether the remote-management feature is enabled for a device, by opening the web-based management interface and choose “Basic Settings > Remote Management.” If the “Enable” box is checked, remote management is enabled for the device.
The vulnerability is due to improper validation of user-supplied data in the web-based management interface, Cisco said.
Cisco has released software updates that address this vulnerability and customers should check their software license agreement for more details.
Cisco warned of other developing security problems this week.
Cisco’s Talos security researchers warned that users need to keep a close eye on unsecured Elasticsearch clusters. Elasticsearch is an open-source distributed search and analytics engine built on Apache Lucene.
“We have recently observed a spike in attacks from multiple threat actors targeting these clusters,” Talos stated. In a post, Talos wrote that attackers are targeting clusters using versions 1.4.2 and lower, and are leveraging old vulnerabilities to pass scripts to search queries and drop the attacker’s payloads. These scripts are being leveraged to drop both malware and cryptocurrency-miners on victim machines.
Talos also wrote that it has identified social-media accounts associated with one of these threat actors. “Because Elasticsearch is typically used to manage very large datasets, the repercussions of a successful attack on a cluster could be devastating due to the amount of data present. This post details the attack methods used by each threat actor, as well as the associated payloads,” Cisco wrote.
Docker and Kubernetes
Cisco continues to watch a run-time security issue with Docker and Kubernetes containers. “The vulnerability exists because the affected software improperly handles file descriptors related to /proc/self/exe. An attacker could exploit the vulnerability either by persuading a user to create a new container using an attacker-controlled image or by using the docker exec command to attach into an existing container that the attacker already has write access to,” Cisco wrote.
“A successful exploit could allow the attacker to overwrite the host's runc binary file with a malicious file, escape the container, and execute arbitrary commands with root privileges on the host system,” Cisco stated. So far Cisco has identified only three of its products as susceptible to the vulnerability: Cisco Container Platform, Cloudlock and Defense Orchestrator. It is evaluating other products, such as the widely used IOS XE Software package.
Cisco issued a third patch-of-a-patch for its Webex system. Specifically Cisco said in an advisory that a vulnerability in the update service of Cisco Webex Meetings Desktop App and Cisco Webex Productivity Tools for Windows could allow an authenticated, local attacker to execute arbitrary commands as a privileged user. The company issued patches to address the problem in October and November, but the issue persisted.
“The vulnerability is due to insufficient validation of user-supplied parameters. An attacker could exploit this vulnerability by invoking the update service command with a crafted argument. An exploit could allow the attacker to run arbitrary commands with SYSTEM user privileges,” Cisco stated.
The vulnerability affects all Cisco Webex Meetings Desktop App releases prior to 33.6.6, and Cisco Webex Productivity Tools Releases 32.6.0 and later prior to 33.0.7, when running on a Microsoft Windows end-user system.
Details on how to address this patch are here.
Thanks to Michael Cooney (see source)