Cisco published six new security advisories this week, with four rated as ‘high impact’ and two as ‘critical impact’. Released on Wednesday, in the order of publication, they are:
CVE-2016-1290 – A vulnerability in the web API of the Cisco Prime Infrastructure and EPNM could allow an attacker to send a crafted URL request to by-pass RBAC and gain elevated privileges. The impact is classified as high.
CVE-2016-1291 A second vulnerability in the web API of the Cisco Prime Infrastructure and EPNM could allow an attacker to execute arbitrary code with root-level privileges. The impact is classified as critical.
CVE-2016-1346 – This vulnerability in the TelePresence Server fails to properly handle IPv6 packets. A successful exploit could allow an attacker to cause a kernel panic, rebooting the device. The impact is classified as high.
CVE-2016-1313 – The SSH private key for the UCS Invicta is stored insecurely in the system. As a result, an attacker could steal the key and use it to gain root privileges on the system. The impact is classified as critical.
CVE-2015-6313 – A second vulnerability in the TelePresence Server fails to properly parse specially crafted ‘evil packets’. Multiple packets eventually cause memory exhaustion and a system crash. The impact is classified as high.
CVE-2015-6312 – A vulnerability in the TelePresence Server version 3.1 fails to properly process malformed STUN packets. A successful attack could cause the device to reboot and drop all calls in the process. The impact is classified as high.
Cisco is advising administrators to install all relevant patches as soon as possible.
SecurityWeek asked whitehat researcher Ivan Sanchez what he thought of the vulnerabilities. “Most of these Cisco products are used in IT networks, but some are also used in OT networks. That is not a good idea,” he said. He also expressed astonishment that a company like Cisco could still be storing a default SSH key hardcoded in the software.
Sanchez demonstrated the worldwide extent of the problem with a heat map of the TelePresence Servers that were currently on line around the world. Three of the vulnerabilities affect this server, and each one can be delivered remotely. Until patched, every one of these servers is susceptible to remote attacks; and none of the attacks would be particularly difficult to craft and deliver.
It is, as Cisco suggests, important to update systems as soon as possible.