Oops: Cisco accidentally released in-house Dirty COW exploit attack code with software installer

Cisco this week patched critical vulnerabilities in its switches, Stealthwatch, and Unity voice messaging system. Oh, and ‘fessed up that it accidentally shipped software that included in-house-developed exploit code for attacking Linux systems via the Dirty COW flaw.

The network giant also announced it has begun combing its products to identify any that might inherit the Apache Struts vulnerability patched this week. So far, that search hasn’t turned up any vulnerable products.

QA having a COW

If you’re in the mood for schadenfreude, this notice doesn’t get a CVE number, but reveals Cisco left Dirty COW exploit code in test scripts it shipped with its TelePresence Video Communication Server software.

A dirty cow

Dirty COW explained: Get a moooo-ve on and patch Linux root hole

READ MORE

Cisco blamed the blunder on internal quality control: the code exists to make sure software is patched against known exploits, and someone neglected to remove it before shipping.

The bundled exploit doesn’t open up TelePresence to attack, and new software images without the attack code are available.

Cheeky root account

Thor Simon, of Two Sigma Investments, probably needed a stiff drink when he realised his Cisco Small Business Switch had an undocumented admin account. He reported the flaw to Cisco, which labelled it CVE-2018-15439. It affects the Small Business 200 Series, 250 Series, 300 Series, 350 Series, 350X Series, 500 Series and 500X Series switches.

Unless the admin creates a user account with top-level privilege (Privilege 15 in Cisco-speak), the undocumented root account will persist; and if someone deletes all users with Privilege 15, the switch will re-create the account. There’s no patch in the works, but the workaround is simple: create a Privilege 15 user.

Threat detected in threat detection kit

Stealthwatch is Cisco’s enterprise threat detection and forensics software, and it had an insecure system configuration that let a remote attacker bypass the management console authentication with “crafted HTTP packets”.

Designated CVE-2018-15394, the bug affected Stealthwatch Enterprise versions 6.10.2 and prior.

Are you Java a laugh?

If you drew “Java deserialisation bug” in the sweepstake, your number came up in Cisco Unity Express.

Cisco explained the impact of the insecure deserialisation this way: “An attacker could exploit this vulnerability by sending a malicious serialised Java object to the listening Java Remote Method Invocation (RMI) service. A successful exploit could allow the attacker to execute arbitrary commands on the device with root privileges.”

Unity Express versions prior to 9.0.6 were affected. If you can’t patch, Cisco’s post provided access control list rules that will shove malicious traffic over TCP port 1099. Cisco said the bug was found by pen-tester Joshua Graham.

And the rest

If you own a Cisco Meraki MR, MS, MX, Z1, and Z3, patch it against CVE-2018-0284, a bug in the local status page that gave an authenticated, remote attacker access to device configuration.

Cisco announced a further 11 bugs rated Medium and listed them here. ®

Sponsored: Following Bottomline’s journey to the Hybrid Cloud

READ MORE HERE