Cisco Context Service SDK Arbitrary Code Execution Vulnerability

A vulnerability in the update process for the dynamic JAR file of the Cisco Context Service software development kit (SDK) could allow an unauthenticated, remote attacker to execute arbitrary code on the affected device with the privileges of the web server.

The vulnerability is due to insufficient validation of the update JAR file’s signature. An attacker could exploit this vulnerability by performing a man-in-the-middle attack during the update process. At the same time, the attacker must poison a name service or control it and must also control a trusted signing certificate. An exploit could allow the attacker to replace the original JAR file with an altered version, which could then be used to execute arbitrary code.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170607-ccs [“https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170607-ccs”]