Multiple Vulnerabilities in Cisco Products Could Allow for Remote Unauthorized Access with Elevated Privileges

MS-ISAC ADVISORY NUMBER:

2019-112

DATE(S) ISSUED:

10/18/2019

OVERVIEW:

Multiple vulnerabilities have been discovered in Cisco products, the most severe of which could allow for remote unauthorized access with elevated privileges on the affected system. For affected access points, an attacker could view sensitive information, update the network configuration, and disable the access point resulting in a denial of service.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

• Aironet 1540 Series APs
• Aironet 1560 Series APs
• Aironet 1800 Series APs
• Aironet 1810 Series APs
• Aironet 1830 Series APs
• Aironet 1850 Series APs
• Aironet 2800 Series APs
• Aironet 3800 Series APs
• Aironet 4800 APs
• Aironet 9100 APs
• Firepower Management Center (FMC) Software
• Wireless LAN Controller (WLC) Software releases 8.5.140.0 and earlier
• Wireless LAN Controller (WLC) Software releases earlier than Release 8.10
• SPA112 2-Port Phone Adapter and SPA122 ATA with Router devices that are running firmware releases 1.4.1 SR4 and earlier and that have the web-based management interface enabled.
• 250 Series Smart Switches
• 350 Series Managed Switches
• 550X Series Stackable Managed Switches
• Expressway Series and TelePresence VCS running a software release earlier than Release X12.5.4
• TelePresence CE Software releases earlier than Release 9.8.0
• TelePresence CE Software releases earlier than Release 9.8.1
• SPA100 Series ATAs that were running firmware releases 1.4.1 SR3 and earlier
• Business 200 Series Smart Switches
• Business 300 Series Managed Switches
• Business 500 Series Stackable Managed Switches
• ISE Software releases earlier than Release 2.4.0 Patch 10
• ISE releases earlier than 2.4P10 or 2.3P7
• FindIT Network Probe versions 1.0.0 and 1.0.1

RISK:

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Cisco products, the most severe of which could allow a remote, unauthenticated attacker, unauthorized access with elevated privileges on the affected system. Details of these vulnerabilities are as follows:

• A vulnerability in the web UI of the Cisco Firepower Management Center (FMC) could allow an authenticated, remote attacker to execute arbitrary commands on an affected device. (CVE-2019-12687, CVE-2019-12688).
• A vulnerability in Cisco Aironet Access Points (APs) Software could allow an unauthenticated, remote attacker to gain unauthorized access to a targeted device with elevated privileges. (CVE-2019-15260)
• A vulnerability in the Secure Shell (SSH) session management for Cisco Wireless LAN Controller (WLC) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. (CVE-2019-15262)
• Multiple vulnerabilities in Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, adjacent attacker to execute arbitrary code with elevated privileges. (CVE-2019-15240, CVE-2019-15241, CVE-2019-15242)
• A vulnerability in the web-based management interface of Cisco Small Business Smart and Managed Switches could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. (CVE-2019-12636)
• A vulnerability in the Point-to-Point Tunneling Protocol (PPTP) VPN packet processing functionality in Cisco Aironet Access Points (APs) could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition. (CVE-2019-15261)
• A vulnerability in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol implementation of Cisco Aironet and Catalyst 9100 Access Points (APs) could allow an unauthenticated, adjacent attacker to cause an affected device to restart unexpectedly, resulting in a denial of service (DoS) condition. (CVE-2019-15264)
• A vulnerability in the CLI of Cisco Wireless LAN Controller (WLC) Software could allow an authenticated, local attacker to view system files that should be restricted. (CVE-2019-15266)
• A vulnerability in the web-based management interface of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected system. (CVE-2019-12705)
• A vulnerability in the CLI of Cisco TelePresence Collaboration Endpoint (CE) Software could allow an authenticated, local attacker to execute code with root privileges. (CVE-2019-15277)
• A vulnerability in the CLI of Cisco TelePresence Collaboration Endpoint (CE) Software could allow an authenticated, local attacker to execute arbitrary commands with root privileges. (CVE-2019-15275)
• A vulnerability in the CLI of Cisco TelePresence Collaboration Endpoint (CE) Software could allow an authenticated, local attacker to write files to the /root directory of an affected device. (CVE-2019-15962)
• Multiple vulnerabilities in the CLI of Cisco TelePresence Collaboration Endpoint (CE) Software could allow an authenticated, local attacker to overwrite arbitrary files. (CVE-2019-15273)
• A vulnerability in the CLI of Cisco TelePresence Collaboration Endpoint (CE) Software could allow an authenticated, local attacker to perform command injections. (CVE-2019-15274)
• A vulnerability in the web-based management interface of Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, remote attacker to cause a denial of service condition on an affected device. (CVE-2019-15258)
• A vulnerability in the web-based management interface of Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, remote attacker to view the contents of arbitrary files on an affected device. (CVE-2019-12704)
• A vulnerability in the web-based management interface of Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, remote attacker to access sensitive information on an affected device. (CVE-2019-15257)
• A vulnerability in the web-based management interface of Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, remote attacker to conduct cross-site scripting attacks. (CVE-2019-12702)
• A vulnerability in the web-based management interface of Cisco SPA122 ATA with Router Devices could allow an unauthenticated, adjacent attacker to conduct cross-site scripting attacks. (CVE-2019-12703)
• A vulnerability in the web-based management interface of Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, remote attacker to access sensitive information on an affected device. (CVE-2019-12708)
• A vulnerability in the web-based interface of Cisco Small Business Smart and Managed Switches could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface. (CVE-2019-12718)
• A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. (CVE-2019-15281)
• Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the web-based management interface. (CVE-2019-12637)
• A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the web-based management interface. (CVE-2019-12638)
• A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) Software could allow an unauthenticated, remote attacker to read tcpdump files generated on an affected device. (CVE-2019-15282)
• A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web-based management interface. (CVE-2019-15280)
• Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface. (CVE-2019-15268, CVE-2019-15269)
• A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface. (CVE-2019-15270)
• A vulnerability in the bridge protocol data unit (BPDU) forwarding functionality of Cisco Aironet Access Points (APs) could allow an unauthenticated, adjacent attacker to cause an AP port to go into an error disabled state. (CVE-2019-15265)
• Multiple Issues in Cisco Small Business 250/350/350X/550X Series Switches Firmware and Cisco FindIT Network Probe (No associated CVEs)

Successful exploitation of the most severe of these vulnerabilities could allow for remote unauthorized access with elevated privileges on the affected system. For affected access points, an attacker could view sensitive information, update the network configuration, and disable the access point resulting in a denial of service.

RECOMMENDATIONS:

We recommend the following actions be taken:

• Install the updates provided by Cisco immediately after appropriate testing.
• Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
• Remind users not to visit websites or follow links provided by unknown or untrusted sources.
• Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
• Apply the Principle of Least Privilege to all systems and services.

REFERENCES: