Security Experts:

Cisco Fixes Flaws in Network Analysis Modules

Cisco informed customers on Wednesday that it has released patches for several medium and high severity vulnerabilities affecting its Prime Network Analysis Module products.

Cisco’s Network Analysis Module (NAM) products are part of the company’s cloud and system management offering. They enable administrators to optimize network resources and improve the delivery of applications and services.

The product has been found to be plagued by two vulnerabilities that have been rated “high severity.” One of them, tracked as CVE-2016-1370, allows a remote, unauthenticated attacker to cause a denial-of-service (DoS) condition by sending specially crafted IPv6 packets on the network where the NAM is monitoring traffic.

Another high severity issue, tracked as CVE-2016-1388, affects the product’s web interface. An attacker can exploit the flaw to remotely execute arbitrary commands on the underlying operating system via specially crafted HTTP requests. This vulnerability has been found to affect both physical and virtual modules (vNAM).

Cisco’s NAM and vNAM products are also plagued by two medium severity issues. One of them is a command injection vulnerability (CVE-2016-1390) that allows a local, authenticated attacker to execute arbitrary commands on the host operating system. An attacker could manage to execute commands with root privileges by submitting specially crafted input.

The second medium severity issue affects the web interface and allows a remote attacker to execute arbitrary commands or code by sending specially crafted HTTP requests to the targeted system. The vulnerability, identified as CVE-2016-1391, can only be exploited by an authenticated attacker.

Cisco addressed the flaws with the release of patches and security updates that can be downloaded from the Software Center on the company’s website.

The DoS vulnerability was identified by Cisco during internal quality assurance security testing, while the other issues were reported to the company by Daniel Jensen from Security-Assessment.com.

Related: Cisco Releases Critical Security Updates

Related: Cisco Patches Severe Flaws in Wireless LAN Controller

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.