ESB-2017.2280 - [Cisco] Cisco Products: Execute arbitrary code/commands - Remote/unauthenticated 2017-09-11

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.2280
            Apache Struts 2 Remote Code Execution Vulnerability
             Affecting Multiple Cisco Products: September 2017
                             11 September 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco Products
Publisher:         Cisco Systems
Operating System:  Cisco
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-12611  

Original Bulletin: 
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170909-struts2-rce

- --------------------------BEGIN INCLUDED TEXT--------------------

Apache Struts 2 Remote Code Execution Vulnerability Affecting Multiple Cisco 
Products: September 2017

Critical

Advisory ID: cisco-sa-20170909-struts2-rce

First Published: 2017 September 9 17:00 GMT

Version 1.0: Interim

Workarounds: No workarounds available

CVE-2017-12611

CWE-20

Summary

On September 7, 2017, the Apache Software Foundation released a security 
bulletin that disclosed a vulnerability in the Freemarker tag functionality of
the Apache Struts 2 package. The vulnerability could allow an unauthenticated,
remote attacker to execute arbitrary code on an affected system. The Apache 
Software Foundation classifies the vulnerability as a Medium Severity 
vulnerability. For more information about this vulnerability, refer to the 
Details section of this advisory.

Multiple Cisco products incorporate a version of the Apache Struts 2 package 
that is affected by this vulnerability.

This advisory will be updated as additional information becomes available.

This advisory is available at the following link:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170909-struts2-rce

Affected Products

For information about whether a product is affected by this vulnerability, 
refer to the Vulnerable Products and Products Confirmed Not Vulnerable 
sections of this advisory. The Vulnerable Products section includes Cisco bug
IDs for each affected product. The bugs are accessible through the Cisco Bug 
Search Tool and contain additional platform-specific information, including 
any available workarounds and fixed software releases.

If a Cisco product is not listed in the Products Under Investigation, 
Vulnerable Products, or Products Confirmed Not Vulnerable section of this 
advisory, it is assumed to not be vulnerable.

Products Under Investigation

The following Cisco products are under active investigation to determine 
whether they are affected by the vulnerability described in this advisory.

Collaboration and Social Media

Cisco Unified MeetingPlace

Cisco WebEx Meetings Server

Network Application, Service, and Acceleration

Cisco Data Center Network Manager

Network and Content Security Devices

Cisco Identity Services Engine (ISE)

Network Management and Provisioning

Cisco Digital Media Manager

Cisco MXE 3500 Series Media Experience Engines

Cisco Prime Central for Service Providers

Cisco Prime Collaboration Provisioning

Cisco Prime Home

Cisco Prime LAN Management Solution - Solaris

Cisco Prime License Manager

Cisco Prime Network Registrar IP Address Manager (IPAM)

Cisco Prime Network

Cisco Unified Intelligence Center

Voice and Unified Communications Devices

Cisco Emergency Responder

Cisco Enterprise Chat and Email

Cisco Hosted Collaboration Mediation Fulfillment

Cisco Hosted Collaboration Solution for Contact Center

Cisco Unified Communications Manager IM & Presence Service (formerly CUPS)

Cisco Unified Communications Manager

Cisco Unified Contact Center Enterprise

Cisco Unified E-Mail Interaction Manager

Cisco Unified Intelligent Contact Management Enterprise

Cisco Unified SIP Proxy Software

Cisco Unified Survivable Remote Site Telephony Manager

Cisco Unified Web Interaction Manager

Cisco Unity Connection

Cisco Virtualized Voice Browser

Video, Streaming, TelePresence, and Transcoding Devices

Cisco Enterprise Content Delivery System (ECDS)

Cisco Video Distribution Suite for Internet Streaming (VDS-IS)

Cisco Hosted Services

Cisco Business Video Services Automation Software

Cisco Cloud Web Security

Cisco Deployment Automation Tool

Cisco Network Device Security Assessment Service

Cisco Network Performance Analysis

Cisco Partner Support Service 1.x

Cisco Prime Service Catalog

Cisco Services Provisioning Platform

Cisco Smart Net Total Care

Cisco Tidal Performance Analyzer

Cisco Unified Service Delivery Platform

Cisco WebEx Network-Based Recording (NBR) Management

Vulnerable Products

Cisco is investigating its product line to determine which products may be 
affected by this vulnerability and the impact on each affected product. As the
investigation progresses, Cisco will update this advisory with information 
about affected products, including the ID of the Cisco bug for each affected 
product.

At the time of publication, no Cisco products are known to be affected by this
vulnerability.

Products Confirmed Not Vulnerable

Cisco is investigating its product line to determine which products may be 
affected by this vulnerability and the impact on each affected product. As the
investigation progresses, Cisco will update this advisory with information 
about products that are confirmed to not be affected by this vulnerability.

At the time of publication, Cisco has not confirmed that this vulnerability 
does not affect any Cisco products. However, if a Cisco product is not listed
in the Products Under Investigation section of this advisory, the product can
be assumed to not be vulnerable.

Details

A vulnerability in Apache Struts 2 could allow an unauthenticated, remote 
attacker to execute arbitrary code on a targeted system.

The vulnerability is due to the unsafe use of writable expression values in 
Freemarker content that is processed by the affected application. An attacker
could exploit the vulnerability by adding malicious values to writable 
expressions that the attacker submits to the affected application for 
processing. If successful, the attacker could execute arbitrary code in the 
security context of the affected application on the targeted system.

This vulnerability has been assigned the following CVE ID: CVE-2017-12611

The Security Impact Rating (SIR) of this vulnerability is Critical.

Workarounds

Any workarounds that address this vulnerability will be documented in the 
Cisco bugs, which are accessible through the Cisco Bug Search Tool.

Fixed Software

Currently, there are no software updates that address the vulnerability 
described in this advisory. Updates for affected software releases will be 
published when they are available and information about those updates will be
documented in Cisco bugs, which are accessible through the Cisco Bug Search 
Tool.

When Cisco releases software updates that address this vulnerability, 
customers may only install and expect support for software versions and 
feature sets for which they have purchased a license. By installing, 
downloading, accessing, or otherwise using such software upgrades, customers 
agree to follow the terms of the Cisco software license:

https://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html

Additionally, customers may only download software for which they have a valid
license, procured from Cisco directly, or through a Cisco authorized reseller
or partner. In most cases this will be a maintenance upgrade to software that
was previously purchased. Free security software updates do not entitle 
customers to a new software license, additional software feature sets, or 
major revision upgrades.

When considering software upgrades, customers are advised to regularly consult
the advisories for Cisco products, which are available from the Cisco Security
Advisories and Alerts page, to determine exposure and a complete upgrade 
solution.

In all cases, customers should ensure that the devices to be upgraded contain
sufficient memory and confirm that current hardware and software 
configurations will continue to be supported properly by the new release. If 
the information is not clear, customers are advised to contact the Cisco 
Technical Assistance Center (TAC) or their contracted maintenance providers.

Customers Without Service Contracts

Customers who purchase directly from Cisco but do not hold a Cisco service 
contract and customers who make purchases through third-party vendors but are
unsuccessful in obtaining fixed software through their point of sale should 
obtain upgrades by contacting the Cisco TAC:

https://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html

Customers should have the product serial number available and be prepared to 
provide the URL of this advisory as evidence of entitlement to a free upgrade.

Fixed Releases

To determine the affected and fixed releases for each vulnerable product, 
refer to the Cisco bug identified for the product in the Vulnerable Products 
section of this advisory. Cisco bugs are accessible through the Cisco Bug 
Search Tool.

Exploitation and Public Announcements

The Cisco Product Security Incident Response Team (PSIRT) is not aware of any
public announcements or malicious use of this vulnerability against Cisco 
products.

Public exploits are available for this vulnerability.

Source

On September 7, 2017, the Apache Software Foundation publicly disclosed this 
vulnerability in the following security bulletin: S2-053

URL

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170909-struts2-rce

Revision History

Version 	Description 		Section 	Status 	Date

1.0 		Initial public release. -		Interim 2017-September-09

LEGAL DISCLAIMER

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF 
GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS
FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS
LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO 
CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. CISCO EXPECTS TO UPDATE THIS 
DOCUMENT AS NEW INFORMATION BECOMES AVAILABLE.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWbXXFYx+lLeg9Ub1AQjjsw//ZKyysixREMBdU1bib/cFlXWAqxQ2ZrXW
loyIt0lzE+E06ABexFUO7K18vZxqwnaL64WkuIZWA3iPDxgHbpN3ZkeHaIum/0aF
4FeFtfZbd0waDq/y8s/QfzceCiljr4eA20ZyanKD6GneclnAn7NoqJpZDtJR4zxs
WjQZ8tVQBfym4doDAWGqZ/n+wBoLrPYWG9zguY9KwPL2JkS7P488V//NB4pe9I2x
3+aATlm70yPMOji8UqyyugKJAcZAoTJMPRtP0Em1zdzIHQUOTNC6sL2pB+4Q/3JI
+fKU5X1HL3qLcFWoWNjoNixu+9brTDjFX74xBDThJZ8P56wRjbUrXVMXoeTSje98
RsksiTjWLYHrFR/39ICcbC0havnqmGj3YwKzrkoi8fQs5Nym5ieIXEWBi2a8ugXy
oOmRfpH5XZH5rwA7DGtw2f36ejguxfDlHEydrQO45pedZ2cvyNpOlw2SqqWsfahU
0TSnQYNbNxNdJtZjc1G10F5+0aK+B7fFNHwGk6KHjciFeTklvhOvJbNtFscmTQoK
rK+Dkutn9SKLT4QoEdK8qHGQwqtYNjsY8pVSDSvzmgJHBziSuBxjMMVsue/Tu2Bm
4PJ63XNG2rpFsmF/qkVj0Dw/Tceuhvg+5v+8KoBLQtB9pMk/r8WTuH6poqiDE57A
+Tnax5tG7MA=
=D9gw
-----END PGP SIGNATURE-----

« Back to bulletins