Cisco WAAS, video gear have holes

Security advisories issued for management vulnerabilities; OSPF open to crafted packet attacks

Cisco issued three security advisories this week -- two involving its Wide Area Application Services (WAAS) WAN optimization appliance and content and video networking gear, and a third on multiple products running OSPF. Cisco released free software updates that address the vulnerabilities in all product groups.

Two of the vulnerabilities affect WAAS and content/video products configured as central managers or running in central management mode. In the WAAS situation, when configured as Central Manager, an unauthenticated, remote attacker could execute arbitrary code that enables administrative access to all the devices managed by the WAAS Central Manager.

[THE RUNDOWN: Cisco's Security Advisory page]

Every WAAS network must have one primary WAAS Central Manager device that is responsible for managing the other WAAS devices in the network, the Cisco advisory states.

Affected WAAS software is listed in the advisory. Software releases prior to 4.2.1 are not affected.

Cisco discovered the vulnerability during resolution of a support case. The company is not aware of any public announcements or malicious use of the vulnerability.

The content and video delivery products have a similar problem when they are in central management mode, but the vulnerability can be exploited by an authenticated, though unprivileged user. The attacker can inject arbitrary commands into the operating system of the affected device and its associated managed devices.

From the advisory:

The vulnerability is due to a failure to properly sanitize user input that is subsequently used to perform an action using the underlying command-line interface of the device. An authenticated but unprivileged attacker could exploit this vulnerability by logging in to the GUI of the affected system and appending arbitrary code to some of values passed to the system.

A list of the affected products and software releases is available in the advisory. It states that the command injection vulnerability was found during internal testing.

As with WAAS, Cisco says it is not aware of any public announcements or malicious use of the vulnerability.

A third advisory addresses an OSPF crafted packet situation in multiple Cisco products -- IOS, IOS-XE and NX-OS among them. The protocol's Link State Advertising (LSA) database could allow an unauthenticated attacker to take full control of the OSPF Autonomous System domain routing table and blackhole and intercept traffic.

The attacker could trigger the vulnerability by injecting crafted OSPF packets that could flush the routing table on a targeted router and propagate the crafted packet, the advisory states. The vulnerability can only be triggered by sending crafted unicast or multicast LSA type 1 packets.

Affected products include Cisco IOS software configured for OSPF -- but not OSPFv3; IOS-XE; Firewall Services Module, including ASA and PIX software; NX-OS; and the ASR 5000. OSPFv3 is not affected, and neither is Fabric Shortest Path First.

To recover affected systems, administrators can delete the OSPF configuration and enable it again, or reload it. But the advisory states that:

Clearing the OSPF process or routing table by means of commands such as clear ip ospf process or clear ip route does not have any effect and can not be used to recover affected systems.

In addition to releasing free software to address the vulnerability, Cisco said workarounds are also available, such as enabling OSPF authentication. It was found by researchers from Rafael Advanced Defense Systems and Ben Gurion University in Israel.

More from Cisco Subnet:

Some final notes on Cisco Live

Chambers: Cisco waited too long to address SDNs

Cisco, Insieme tout 'penalty-free' fabric architecture

Cisco forms Internet of Things group

Cisco delivers 'monster' Catalyst switch in major product refresh

First look: Catalyst 6800 switch and friends

Insieme will be in the house at Cisco Live

Cisco denies spying

Cisco looks to standardize context-aware security

CCIE's raise Voice over Cisco cert move

Follow all Cisco Subnet bloggers on Twitter.Jim Duffy on Twitter


Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10