SD-WAN admin? Your number came up in Cisco's latest bug list

Webex, security, IoT systems also need patches


Cisco's irregular patch cycle has come round again and this time the focus is on the company's SD-WAN product.

As well as high-rated bugs in Webex, small business routers and various security products, Switchzilla has disclosed one critical bug in its SD-WAN, and another four vulnerabilities rated high.

That critical rating was assigned to CVE-2019-1651, a bug in the SD-WAN's virtual container, vContainer, the VM which hosts the SD-WAN controllers. If an attacker sends a malicious file to the vContainer, it can cause a buffer overflow, leading to a denial-of-service (DoS) condition that lets the attacker execute arbitrary code as root.

The high-rated bugs in SD-WAN are:

  • CVE-2019-1647, an insecure default configuration that exposes vSmart containers to authenticated, adjacent users;
  • CVE-2019-1648, a user group configuration error that can be exploited to give an authenticated user elevated privileges;
  • CVE-2019-1650, a slip in the command line interface's (CLI's) save command. An authenticated remote attacker can write arbitrary files to the target, escalating their privilege to root; and
  • CVE-2019-1646, also offering privilege escalation via the CLI, but this time only exploitable by an authenticated local attacker.

Webex has two high-rated vulnerabilities: "unsafe search paths used by the application URI" in Windows expose Webex Teams (formerly Spark) to arbitrary remote code execution if a target clicks on a malicious link (CVE-2019-1636); and the Webex Network Recording Player improperly validates recording files (formats ARF and WRF), which also exposes users to remote code execution via phising (here, with multiple CVEs).

Switchzilla's RV320 and RV325 small business routers have a privilege escalation vulnerability in CVE-2019-1652: an attacker with the devices' admin credentials can send malicious HTTP POST commands to the admin interface, and get access as root.

The same boxen also suffer improper access controls for sensitive URLs in CVE-2019-1653. An attacker can connect via HTTP or HTTPS and access URLs that provide router config or diagnostic files.

Cisco this week disclosed two high-rated bugs in security products. Its Identity Services Engine (ISE) is a privilege escalation bug exploitable by an authenticated remote attacker. They can access admin interface pages allowing them to create new Admin accounts, in CVE-2018-15459.

The Firepower Threat Defence's packet inspection can be bypassed, in CVE-2019-1669. Cisco said "specific traffic patterns" could be sent to the device, causing either a "fail open" (it stops inspecting traffic), or a "fail closed" (DoS).

The final vulnerability rated high is in Cisco's IoT Field Director, a network management system for Internet of Things "field area networks". In CVE-2019-1644, a target can be hosed by high rates of UDP packets. ®

Broader topics


Other stories you might like

  • If you're using older, vulnerable Cisco small biz routers, throw them out
    Severe security flaw won't be fixed – as patches released this week for other bugs

    If you thought you were over the hump with Patch Tuesday then perhaps think again: Cisco has just released fixes for a bunch of flaws, two of which are not great.

    First on the priority list should be a critical vulnerability in its enterprise security appliances, and the second concerns another critical bug in some of its outdated small business routers that it's not going to fix. In other words, junk your kit or somehow mitigate the risk.

    Both of these received a CVSS score of 9.8 out of 10 in severity. The IT giant urged customers to patch affected security appliances ASAP if possible, and upgrade to newer hardware if you're still using an end-of-life, buggy router. We note that miscreants aren't actively exploiting either of these vulnerabilities — yet.

    Continue reading
  • Datacenter networks: You'll manage them from the cloud, eventually, claims Cisco
    Nexus portfolio undergoes cloudy Software-as-a-Service revamp

    Cisco's Nexus Cloud will eventually allow customers to manage their datacenter networks entirely from the cloud, says the networking giant.

    The company unveiled the latest addition to its datacenter-focused Nexus portfolio at Cisco Live this week, where the product set got a software-as-a-service (SaaS) revamp.

    "It's targeted at network operations teams that need to manage, or want to manage, their Nexus infrastructure as well as their public-cloud network infrastructure in one spot," Cisco's Thomas Scheibe – VP product management, cloud networking for Nexus & ACI product lines – told The Register.

    Continue reading
  • Cisco execs pledge simpler, more integrated networks
    Is this the end of Switchzilla's dashboard creep?

    Cisco Live In his first in-person Cisco Live keynote in two years, CEO Chuck Robbins didn't make any lofty claims about how AI is taking over the network or how the company's latest products would turn networking on its head. Instead, the presentation was all about working with customers to make their lives easier.

    "We need to simplify the things that we do with you. If I think back to eight or ten years ago, I think we've made progress, but we still have more to do," he said, promising to address customers' biggest complaints with the networking giant's various platforms.

    "Everything we find that is inhibiting your experience from being the best that it can be, we're going to tackle," he declared, appealing to customers to share their pain points at the show.

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading
  • Cisco EVP: We need to lift everyone above the cybersecurity poverty line
    It's going to become a human-rights issue, Jeetu Patel tells The Register

    RSA Conference Exclusive Establishing some level of cybersecurity measures across all organizations will soon reach human-rights issue status, according to Jeetu Patel, Cisco EVP for security and collaboration.

    "It's our civic duty to ensure that everyone below the security poverty line has a level of safety, because it's gonna eventually get to be a human-rights issue," Patel told The Register, in an exclusive interview ahead of his RSA Conference keynote. 

    "This is critical infrastructure — financial services, health care, transportation — services like your water supply, your power grid, all of those things can stop in an instant if there's a breach," he said. 

    Continue reading
  • Now Windows Follina zero-day exploited to infect PCs with Qbot
    Data-stealing malware also paired with Black Basta ransomware gang

    Miscreants are reportedly exploiting the recently disclosed critical Windows Follina zero-day flaw to infect PCs with Qbot, thus aggressively expanding their reach.

    The bot's operators are also working with the Black Basta gang to spread ransomware in yet another partnership in the underground world of cyber-crime, it is claimed.

    This combination of Follina exploitation and its use to extort organizations makes the malware an even larger threat for enterprises. Qbot started off as a software nasty that raided people's online bank accounts, and evolved to snoop on user keystrokes and steal sensitive information from machines. It can also deliver other malware payloads, such as backdoors and ransomware, onto infected Windows systems, and forms a remote-controllable botnet.

    Continue reading
  • Talos names eight deadly sins in widely used industrial software
    Entire swaths of gear relies on vulnerability-laden Open Automation Software (OAS)

    A researcher at Cisco's Talos threat intelligence team found eight vulnerabilities in the Open Automation Software (OAS) platform that, if exploited, could enable a bad actor to access a device and run code on a targeted system.

    The OAS platform is widely used by a range of industrial enterprises, essentially facilitating the transfer of data within an IT environment between hardware and software and playing a central role in organizations' industrial Internet of Things (IIoT) efforts. It touches a range of devices, including PLCs and OPCs and IoT devices, as well as custom applications and APIs, databases and edge systems.

    Companies like Volvo, General Dynamics, JBT Aerotech and wind-turbine maker AES are among the users of the OAS platform.

    Continue reading

Biting the hand that feeds IT © 1998–2022