Attackers can hack CISCO TelePresence boxes with an HTTP request

Cisco Systems has found and fixed a critical vulnerability tied to its CISCO TelePresence hardware that allowed attackers to access it via an API bug.

Cisco announced it has patched a critical flaw (CVE-2016-1387) affecting its TelePresence systems that allowed unauthorized third-parties to access them by exploiting an API bug. The vulnerability has been rated as critical by CISCO that promptly alerted customers to have discovered the flaw alongside with two “high risk” denial of service flaws in the FirePOWER firewall hardware.
The US-CERT also issued an alert on Wednesday reporting the link to the CISCO advisories that detail the flaws.
Cisco has released three security patches to address the flaws in the TelePresence, FirePower and Adaptive Security Appliance lines.

Regarding the Cisco TelePresence system, the company is warning about the XML Application Programming Interface Authentication Bypass Vulnerability which is caused by the improper implementation of authentication mechanisms for the XML API. The attackers could exploit by using a specifically crafted HTTP request to the XML API that allows them to issue control commands modify the system settings.

“The vulnerability is due to improper implementation of authentication mechanisms for the XML API of the affected software. An attacker could exploit this vulnerability by sending a crafted HTTP request to the XML API. A successful exploit could allow the attacker to perform unauthorized configuration changes or issue control commands to the affected system by using the API.” states the advisory published by CISCO.

Cisco fixed also a vulnerability (CVE-2016-1369) in the Adaptive Security Appliance with FirePower services that could be exploited by attackers to crash the appliance by sending a flood of specially crafted IP packets.  The attack could allow the attacker to shut down the Cisco FirePOWER module and stop the traffic inspection.

“A vulnerability in the kernel logging configuration for Firepower System Software for the Adaptive Security Appliance (ASA) 5585-X FirePOWER Security Services Processor (SSP) module could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition due to high consumption of system resources. ” states Cisco.

The third flaw (CVE-2016-1368) affects the FirePower System Software that allows attackers to launch a denial of service attack. The vulnerable devices belong to the FirePower 7000 and 8000 series hardware. Also in this case attackers can trigger the flaw to knock offline the system or cause a reboot.

“A vulnerability in the packet processing functions of Cisco FirePOWER System Software could allow an unauthenticated, remote attacker to cause an affected system to stop inspecting and processing packets, resulting in a denial of service (DoS) condition.” states the CISCO advisory. 
“The vulnerability is due to improper packet handling by the affected software when packets are passed through the sensing interfaces of an affected system. An attacker could exploit this vulnerability by sending crafted packets through a targeted system.”

Cisco and US-CERT are urging administrators t0 install the patches released by the company.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – CISCO TelePresence, hacking)