Pierluigi Paganini April 14, 2017

Cisco issued two “critical” security advisories, one for Cisco IOS and Cisco IOS XE Software, another for a flaw affecting Apache Struts 2.

Today Cisco issued two “critical” security advisories, the first one for Cisco IOS and Cisco IOS XE Software, the second one for the recently discovered flaw affecting Apache Struts 2.

The vulnerability in Cisco IOS affects the Cisco Cluster Management Protocol (CMP) that could be exploited by an unauthenticated, remote attacker to trigger a DoS condition via a reload of the device, or remotely execute code with elevated privileges.

“A vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges.” reads the Cisco Security Advisory.

According to Cisco a wide range of devices is affected by the flaw, including the Cisco Catalyst 2350-48TD-S Switch and the Cisco SM-X Layer 2/3 EtherSwitch Service Module.

“The Cluster Management Protocol utilizes Telnet internally as a signaling and command protocol between cluster members. The vulnerability is due to the combination of two factors: The failure to restrict the use of CMP-specific Telnet options only to internal, local communications between cluster members and instead accept and process such options over any Telnet connection to an affected device, and the incorrect processing of malformed CMP-specific Telnet options.” states Cisco.

The attacker can exploit the vulnerability establishing a Telnet session with vulnerable devices and by sending malformed CMP-specific Telnet options. At the time, I was writing there is no workaround to temporary fix the problem.

“An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device,” continues the advisory.

As for the flaw in Apache Struts2, Cisco confirmed that some products using the application could be remotely hacked. The remote code execution flaw disclosed by Apache in March, tracked as CVE-2017-5638, affects the Jakarta-based file upload Multipart parser.

The IT giant is still investigating its products to determine affected products, as for now the company confirmed that Cisco SocialMiner, Identity Services Engine (ISE), Prime License Manager and others are affected.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs –  CISCO, remote code execution)