Windows 10 News and info | Forum
May 22, 2019, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances. New member registration currently disabled.
 
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1]
  Print  
Share this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on MySpaceShare this topic on RedditShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz
Author Topic: Cisco Upgrades Remote Code Execution Flaws to Critical Severity  (Read 14 times)
javajolt
Administrator
Hero Member
*****
Offline Offline

Gender: Male
United States United States

Posts: 30033


I Do Windows


WWW Email
« on: May 18, 2019, 03:54:08 AM »
ReplyReply

Cisco upgraded three remote code execution (RCE) vulnerabilities impacting the web management interfaces to critical severity with a CVSS base score of 9.8 after initially rating them as high with a base score of 8.8 when the advisories were first published on May 15.

Cisco Prime Infrastructure (PI) and Cisco Evolved Programmable Network (EPN) Manager are network management tools used by administrators "for provisioning, monitoring, optimizing, and troubleshooting both wired and wireless devices."

According to Cisco's security advisory published on May 15 and updated on May 16, the critical vulnerabilities exist "because the software improperly validates user-supplied input" and they can be remotely exploited by potential attackers to gain the ability to execute arbitrary code with "root-level privileges on the underlying operating system."



The most dangerous is the issue tracked as CVE-2019-1821 which could be "exploited by an unauthenticated attacker that has network access to the affected administrative interface."

The other two flaws tracked as CVE-2019-1822 and CVE-2019-1823 are less concerning given that they would "require that an attacker have valid credentials to authenticate to the impacted administrative interface."

As further detailed by Cisco's security advisory:

Quote
These vulnerabilities exist because the software improperly validates user-supplied input. An attacker could exploit these vulnerabilities by uploading a malicious file to the administrative web interface.


The three vulnerabilities affect the following software versions: Cisco PI Software Releases prior to 3.4.1, 3.5, and 3.6, and EPN Manager Releases prior to 3.0.1.

While there are no workarounds that address these vulnerabilities, Cisco has published free software updates which can be used to patch the software flaws.

High severity SQL injection vulnerabilities

The web-based management interface software is also affected by two other Improper Input Validation flaws rated as high severity and tracked as CVE-2019-1824 and CVE-2019-1825 which "could allow an authenticated, remote attacker to execute arbitrary SQL queries."

These software issues with CVSS base scores of 8.1 can be exploited by would-be attackers via malicious SQL statements sent to vulnerable web management interfaces using specially crafted HTTP requests. Following successful exploitation, attackers can "view or modify entries in some database tables, affecting the integrity of the data."

The products that could be abused by attackers by exploiting these two software issues are Cisco PI Software Releases prior to 3.4.1, 3.5, and 3.6, and EPN Manager Releases prior to 3.0.1.

Applying the security updates

Cisco's Product Security Incident Response Team (PSIRT) says that it is not aware of any public announcements or malicious use of the vulnerabilities.

According to Cisco, customers can follow the procedures described below to apply the security updates:

Quote
Customers can download the Cisco PI Software from the Software Center on Cisco.com by doing the following:

   ○ Click Browse all.

   ○ Choose Cloud and Systems Management> Routing and Switching Management >
      Network Management Solutions > Prime Infrastructure.

Customers can download the Cisco EPN Manager Software from the Software Center on Cisco.com by doing the following:

   ○ Click Browse all.

   ○ Choose Cloud and Systems Management > Routing and Switching Management >
      Evolved Programmable Network Manager.


source
« Last Edit: May 18, 2019, 04:00:41 AM by javajolt » Logged



Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page Today at 04:38:39 AM