Advisories

CERT-In Advisory CIAD-2019-0034

Multiple Vulnerabilities in Cisco

Original Issue Date: November 07, 2019

Severity Rating: High

Systems Affected

Cisco Wireless LAN Controllers
Cisco Small Business RV Series Routers

RV016 Multi-WAN VPN Router
RV042 Dual WAN VPN Router
RV042G Dual Gigabit WAN VPN Router
RV082 Dual WAN VPN Router

Cisco Webex Meetings sites
Cisco Webex Meetings Online
Cisco Webex Meetings Server
Cisco TelePresence CE Software
Cisco TC Software
Cisco RoomOS Software
Cisco Small Business RV Series Routers
Cisco Web Security Appliance (WSA)
Cisco TelePresence CE Software

Webex Board 55
Webex Board 55S
Webex Board 70
Webex Board 70S
Webex Board 85S

Cisco PI Software releases prior to 3.4.2, 3.5.1, 3.6.0 Update 02 and Cisco EPNM releases prior to 3.0.2

Overview

Multiple vulnerabilities have been reported in Cisco which could be exploited by an attacker to gain root-level access, run commands in the context of the root user and full control of the device.

Description

1. Cisco Wireless LAN Controller HTTP Parsing Engine ( CVE-2017-15276   )

A vulnerability exists in the web interface of Cisco Wireless LAN Controller Software due to failure of the HTTP parsing engine to handle specially crafted URLs that allow the attacker to cause an unexpected restart of the device, resulting in a DoS condition. A attacker could exploit this vulnerability by authenticating with low privileges to an affected controller and submitting the crafted URL to the web interface of the affected device. Conversely, an unauthenticated attacker could exploit this vulnerability by persuading a user of the web interface to click the crafted URL.
Successful exploitation of this vulnerability could allow a low-privileged, authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

2. Cisco Small Business RV016, RV042, RV042G, and RV082 Routers Arbitrary Command Execution Vulnerability ( CVE-2017-15271   )

A vulnerability exists in the web-based management interface of certain Cisco Small Business RV Series Routers due to lack of input validation of the HTTP payload that allow the attacker to execute commands with root privileges. A attacker could exploit this vulnerability by sending a malicious HTTP request to the web-based management interface of the targeted device.
Successful exploitation of this vulnerability could allow an authenticated, remote attacker to execute arbitrary commands with root privileges.

3. Cisco Webex Network Recording Player and Cisco Webex Player Arbitrary Code Execution Vulnerabilities ( CVE-2019-15283   CVE-2019-15284   CVE-2019-15285   CVE-2019-15286   CVE-2019-15287   )

Multiple vulnerabilities exist in Cisco Webex Network Recording Player for Microsoft Windows and Cisco Webex Player for Microsoft Windows due to insufficient validation of certain elements with a Webex recording stored in either the Advanced Recording Format (ARF) or the Webex Recording Format (WRF) that allow the attacker to execute arbitrary code on the affected system with the privileges of the targeted user. A attacker could exploit these vulnerabilities by sending a user a malicious ARF or WRF file through a link or email attachment and persuading the user to open the file with the affected software on the local system.
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on an affected system.

4. Cisco TelePresence Collaboration Endpoint, TelePresence Codec, and RoomOS Software Privilege Escalation Vulnerability ( CVE-2019-15288   )

A vulnerability exists in CLI of Cisco TelePresence Collaboration Endpoint (CE), Cisco TelePresence Codec (TC), and Cisco RoomOS Software due insufficient input validation that allow to gain unrestricted user access to the restricted shell of an affected device. A attacker could exploit this vulnerability by including specific arguments when opening an SSH connection to an affected device.
Successful exploitation of this vulnerability could allow a remote attacker to escalate privileges to an unrestricted user of the restricted shell.

5. Cisco TelePresence Collaboration Endpoint and RoomOS Software Denial of Service Vulnerabilities ( CVE-2019-15289   )

A vulnerability exists in video service of Cisco TelePresence Collaboration Endpoint (CE) and Cisco RoomOS Software due to insufficient input validation that allow to cause the video service to crash, resulting in a DoS condition on an affected device. A attacker could exploit this vulnerability by sending crafted traffic to the video service of an affected endpoint.
Successful exploitation of this vulnerability could allow a remote attacker to cause a denial of service (DoS) condition on an affected device.

6. Cisco Web Security Appliance Unauthorized Device Reset Vulnerability ( CVE-2019-15956   )

A vulnerability exists in web management interface of Cisco AsyncOS Software for Cisco Web Security Appliance (WSA) due to improper authorization controls for a specific URL in the web management interface that allow to change the administrator password, gaining privileged access, or reset the network configuration details, causing a denial of service (DoS) condition. A attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device.
Successful exploitation of this vulnerability could allow a remote attacker to perform an unauthorized system reset on an affected device.

7. Cisco Small Business Routers RV016, RV042, RV042G, RV082, RV320, and RV325 Command Injection Vulnerability ( CVE-2019-15957   )

A vulnerability exists in web-based management interface of certain Cisco Small Business RV Series Routers due to insufficient validation of user-supplied input that allow to execute arbitrary commands on the underlying Linux operating system as the root user. A attacker could exploit this vulnerability by providing malicious input to a specific field in the web-based management interface of an affected device.
Successful exploitation of this vulnerability could allow a remote attacker with administrative privileges to inject arbitrary commands into the underlying operating system.

8. Cisco Prime Infrastructure and Evolved Programmable Network Manager Remote Code Execution Vulnerability ( CVE-2019-15958   )

A vulnerability exists in REST API of Cisco Prime Infrastructure (PI) and Cisco Evolved Programmable Network Manager (EPNM) due to insufficient input validation during the initial High Availability (HA) configuration and registration process of an affected device that the attacker to execute arbitrary code with root-level privileges on the underlying operating system. A attacker could exploit this vulnerability by uploading a malicious file during the HA registration period.
Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code with root privileges on the underlying operating system.

Solution

Apply appropriate updates as mentioned in:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191106-wlc-dos
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191106-sbrv-cmd-x
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191106-webex-player
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191106-telepres-roomos-privesc
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191106-telepres-roomos-dos
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191106-wsa-unauth-devreset
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191106-sbr-cominj
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191106-pi-epn-codex

Vendor Information

CISCO
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191106-wlc-dos
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191106-sbrv-cmd-x
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191106-webex-player
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191106-telepres-roomos-privesc
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191106-telepres-roomos-dos
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191106-wsa-unauth-devreset
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191106-sbr-cominj
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191106-pi-epn-codex

References

CVE Name
CVE-2017-15276
CVE-2017-15271
CVE-2019-15283
CVE-2019-15284
CVE-2019-15285
CVE-2019-15286
CVE-2019-15287
CVE-2019-15288
CVE-2019-15289
CVE-2019-15956
CVE-2019-15957
CVE-2019-15958

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India