Cisco Mitigates Vulnerabilities

Tuesday, July 19, 2016 @ 12:07 PM gHale


Cisco Systems patched vulnerabilities in its IOS software for networking devices and the Cisco and WebEx conferencing servers.

The most serious vulnerability affects the Cisco IOS XR software for the Cisco Network Convergence System (NCS) 6000 Series Routers, which can lead to a denial-of-service (DoS) condition.

RELATED STORIES
Cisco Fixes Network Analysis Modules
Cisco Mitigates DoS Hole
Cisco Mitigates TelePresence, FirePOWER Holes
Six NTP Daemon Holes Patched

After leveraging management connections to an affected device over the Secure Shell (SSH), Secure Copy Protocol (SCP) or Secure FTP (SFTP), a remote attacker can take advantage of the vulnerability.

Because it can affect the availability of a critical piece of equipment, like a router, Cisco rated this vulnerability high severity. There is no workaround and customers should install the newly released patches, Cisco said.

Another hole Cisco fixed in its IOS XR software allowed attackers to execute arbitrary commands on the operating system with root privileges. This vulnerability affects IOS XR Software Release 6.0.1.BASE. Cisco rated it as a medium severity issue because the attacker needs to end up authenticated as a local user.

A DoS vulnerability also ended up fixed in the IOS Software. The hold can end up used to crash devices running affected versions of the software by sending specially crafted Link Layer Discovery Protocol (LLDP) packets to them. Exploitation doesn’t require authentication, but requires the attacker to be in a position to send LLDP packets.

The firmware of Cisco’s ASR 5000 Series carrier-class platform, used in 3G and LTE networks, received an update that fixes an insecure SNMP (Simple Network Management Protocol) implementation. The hole allowed attackers to read and modify the device configuration.

Cisco’s meeting servers were also the focus of this week’s patch releases. One vulnerability in the HTTP interface of the Meeting Server, formerly Acano Conferencing Server, allowed attackers to launch persistent cross-site scripting (XSS) attacks against users of the interface.

Attackers could exploit this flaw by tricking users to click on maliciously crafted links and could then execute rogue JavaScript code in their browsers in the context of the Cisco Meeting Server interface. This could end up used to steal authentication cookies or to force them to perform unauthorized actions.

Two XSS vulnerabilities were also fixed in the Cisco WebEx Meetings Server version 2.6, one in its administration interface and one in the user interface. The two issues could suffer exploitation by tricking users to visit specially crafted links, which could lead to further attacks.