Cisco Warns of Command Injection Flaw in Cloud Platform

2016-09-22T13:07:00
ID CISCO-WARNS-OF-COMMAND-INJECTION-FLAW-IN-CLOUD-PLATFORM/120804
Type threatpost
Reporter Tom Spring
Modified 2016-09-22T17:07:46

Description

It’s already been a busy month of patching for Cisco Systems, and on Wednesday the networking giant rolled out nine more security updates addressing critical vulnerabilities across its core product lines.

Most notably, Cisco is warning of two security holes (one rated critical, the other high) found in its Cisco Cloud Services Platform 2100 (CCSP). One could allow an unauthenticated remote attacker to execute arbitrary code on a targeted system. The other is a command injection vulnerability found in the web-based GUI of the CCSP. This critical vulnerability could allow a remote attacker to gain root access privileges on CCSP’s underlying OS and execute arbitrary commands.

Related Posts

Threatpost News Wrap, September 16, 2016

September 16, 2016 , 11:30 am

Cisco Begins Patching Equation Group ASA Zero Day

August 24, 2016 , 5:53 pm

Leaked ShadowBrokers Attack Upgraded to Target Current Versions of Cisco ASA

August 24, 2016 , 1:04 pm

In both CCSP cases, Cisco has released software patches to fix the vulnerabilities.

Cisco also warned of a command injection vulnerability found in its Cisco IOS and IOS XE IOX operating systems. According to Cisco, the security hole is tied to an iox command and could allow an authenticated local attacker to perform command injection into the IOx Linux guest operating system. Cisco didn’t issue a patch, but is providing workaround instruction.

Another security alert was issued for the Cisco Data in Motion component in Cisco’s IOS and IOS XE software. The flaw created circumstances that could allow for an unauthenticated remote attacker to cause a partial denial of service (DoS) condition for the Data in Motion process on a targeted system. A software patch was issued for the bug.

Already this month, Cisco has been forced to release critical updates to a number of its core products. Last Friday, Cisco issued an alert for a second vulnerability in the Cisco IOS and IOS XE IOX operating systems similar to one exploited by the Equation Group, which is suspected to have ties to the U.S. National Security Agency. Last Thursday, Cisco warned customers of 12 vulnerabilities across its product line, including a critical vulnerability in the software that powers its conferencing product, WebEx Meetings Server.

As part of its security advisories announced Wednesday, Cisco included seven “medium” security updates. One included a vulnerability tied to the cryptographic implementation of multiple Cisco products that could allow an unauthenticated and remote attackers to make use of hard-coded certificate and keys embedded within the firmware of the affected device, according to Cisco. “An attacker could exploit this vulnerability by using the static information to conduct man-in-the-middle attacks to decrypt confidential information on user connections,” according to the Cisco alert.