ESB-2018.2568.5 - UPDATE ALERT [Cisco] Cisco Products: Execute arbitrary code/commands - Remote/unauthenticated 2018-09-17

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2018.2568.5
Apache Struts Remote Code Execution Vulnerability Affecting Cisco Products
                             17 September 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco Products
Publisher:         Cisco Systems
Operating System:  Cisco
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-11776  

Reference:         ASB-2018.0201

Original Bulletin: 
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180823-apache-struts

Revision History:  September 17 2018: Updated the software availability information for vulnerable products.
                   September  7 2018: Updated the software availability information for vulnerable products.
                   September  5 2018: Updated the lists of products under investigation
                   September  3 2018: Updated the lists of products under investigation
                   August    30 2018: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Cisco Security Advisory

Apache Struts Remote Code Execution Vulnerability Affecting Cisco Products:
August 2018

Priority: Critical
Advisory ID: cisco-sa-20180823-apache-struts
First Published: 2018 August 23 20:00 GMT
Last Updated: 2018 September 13 14:38 GMT
Version 1.11: Final
Workarounds: No workarounds available

CVE-2018-11776
CWE-20


Summary

  * A vulnerability in Apache Struts could allow an unauthenticated, remote
    attacker to execute arbitrary code on a targeted system.

    The vulnerability exists because the affected software insufficiently
    validates user-supplied input, allowing the use of results with no
    namespace value and the use of url tags with no value or action. In cases
    where upper actions or configurations also have no namespace or a wildcard
    namespace, an attacker could exploit this vulnerability by sending a
    request that submits malicious input to the affected application for
    processing. If successful, the attacker could execute arbitrary code in the
    security context of the affected application on the targeted system.  

    The following Snort rules can be used to detect possible exploitation of
    this vulnerability: Snort SID 29639, 39190, 39191, and 47634

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20180823-apache-struts

Affected Products

  * The Vulnerable Products section includes Cisco bug IDs for each affected
    product or service. The bugs are accessible through the Cisco Bug Search
    Tool and contain additional platform-specific information, including
    workarounds (if available) and fixed software releases.

    Any product or service not listed in the Vulnerable Products section of
    this advisory is to be considered not vulnerable.

    Vulnerable Products

    Vulnerable products marked with an asterisk (*) contain an affected Struts
    library, but due to how the library is used within the product, these
    products are not vulnerable to any of the exploitation vectors known to
    Cisco at the time of publication.

    The following table lists Cisco products that are affected by the
    vulnerability that is described in this advisory:

                      Product                    Cisco Bug     Fixed Release
                                                     ID        Availability
                          Collaboration and Social Media
    Cisco SocialMiner *                          CSCvk78903 Patch available
                                                            11-Sept-2018
                       Endpoint Clients and Client Software
    Cisco Prime Service Catalog *                CSCvm13989
                       Network and Content Security Devices
                                                            Patch file
    Cisco Identity Services Engine (ISE)         CSCvm14030 available
                                                            31-Aug-2018
                     Voice and Unified Communications Devices
                                                            1151es
    Cisco Emergency Responder *                  CSCvm14044 (14-Sep-2018)
                                                            Standalone COP
                                                            (21-Sep-2018)
                                                            Patch file
    Cisco Finesse *                              CSCvk78905 available
                                                            7-Sept-2018.
    Cisco Hosted Collaboration Solution for                 Patch file
    Contact Center *                             CSCvm14052 available
                                                            12-Sep-2018
                                                            Patch file
    Cisco MediaSense *                           CSCvk78906 available
                                                            12-Sep-2018
                                                            1151es and 1201es
    Cisco Unified Communications Manager *       CSCvm14042 (14-Sep-2018)
                                                            Standalone COP
                                                            (20-Sep-2018)
                                                            1151es and 1201es
    Cisco Unified Communications Manager IM &    CSCvm14049 (14-Sep-2018)
    Presence Service (formerly CUPS) *                      Standalone COP
                                                            (20-Sep-2018)
                                                            Patch file
    Cisco Unified Contact Center Enterprise *    CSCvm13986 available
                                                            12-Sept-2018
    Cisco Unified Contact Center Enterprise -               Patch file
    Live Data server *                           CSCvk78902 available
                                                            7-Sept-2018
                                                            Patch file
    Cisco Unified Contact Center Express *       CSCvm21744 available
                                                            12-Sep-2018
                                                            Patch file
    Cisco Unified Intelligence Center *          CSCvm13984 available
                                                            12-Sep-2018
    Cisco Unified Intelligent Contact Management            Patch file
    Enterprise *                                 CSCvm13986 available
                                                            12-Sept-2018
    Cisco Unified SIP Proxy Software *           CSCvm13980 918es (28-Sep-2018)
    Cisco Unified Survivable Remote Site                    Patch file
    Telephony Manager *                          CSCvm13979 available
                                                            12-Sep-2018
                                                            1151es and 1201su
    Cisco Unity Connection *                     CSCvm14043 (18-Sep-2018)
                                                            Standalone COP
                                                            (21-Sep-2018)
                                                            Patch file
    Cisco Virtualized Voice Browser *            CSCvm14056 available
                                                            12-Sep-2018
              Video, Streaming, TelePresence, and Transcoding Devices
    Cisco Video Distribution Suite for Internet  CSCvm14027 2.3.35
    Streaming (VDS-IS) *                                    (15-Sept-2018)
                            Cisco Cloud Hosted Services
    Cisco Network Performance Analysis           CSCvm14040


    Products Confirmed Not Vulnerable

    Only products and services listed in the Vulnerable Products section of
    this advisory are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect the following
    products and services. All members of the product families in the following
    list are not considered to be affected by this vulnerability unless they
    are explicitly listed in the preceding Vulnerable Products section:

    Cable Modems
      + Cisco 3G Femtocell Wireless

    Network Application, Service, and Acceleration
      + Cisco Data Center Network Manager

    Network and Content Security Devices
      + Cisco Secure Access Control System (ACS)

    Network Management and Provisioning
      + Cisco MXE 3500 Series Media Experience Engines
      + Cisco Prime Access Registrar
      + Cisco Prime Central for Service Providers
      + Cisco Prime Collaboration Assurance
      + Cisco Prime Collaboration Provisioning
      + Cisco Prime Infrastructure
      + Cisco Prime LAN Management Solution - Solaris
      + Cisco Prime License Manager
      + Cisco Prime Network Registrar IP Address Manager (IPAM)
      + Cisco Prime Network
      + Cisco Prime Order Management
      + Cisco Prime Provisioning
      + Cisco Security Manager
      + Cisco Smart Net Total Care - Local Collector appliance

    Routing and Switching - Enterprise and Service Provider
      + Cisco Broadband Access Center for Telco and Wireless

    Voice and Unified Communications Devices
      + Cisco Enterprise Chat and Email
      + Cisco Hosted Collaboration Mediation Fulfillment
      + Cisco Unified Customer Voice Portal
      + Cisco Unified E-Mail Interaction Manager
      + Cisco Unified Web Interaction Manager
      + Cisco Unity Express

    Video, Streaming, TelePresence, and Transcoding Devices
      + Cisco Enterprise Content Delivery System (ECDS)
      + Cisco Expressway Series
      + Cisco TelePresence Video Communication Server (VCS)

    Cisco Cloud Hosted Services
      + Cisco Business Video Services Automation Software
      + Cisco Cloud Web Security
      + Cisco Deployment Automation Tool
      + Cisco Network Device Security Assessment Service
      + Cisco Services Provisioning Platform
      + Cisco Smart Net Total Care - Contracts Information System Process
        Controller
      + Cisco Smart Net Total Care
      + Cisco Unified Service Delivery Platform
      + Cisco Webex Meeting Center - Windows
      + Cisco Webex Meeting Center
      + Cisco Webex Network-Based Recording (NBR) Management
      + Cisco Webex Teams (formerly Cisco Spark)
      + Cloud and Managed Services Program (CMSP)

Workarounds

  * Any workarounds for a specific Cisco product or service will be documented
    in product-specific or service-specific Cisco bugs, which are identified in
    the Vulnerable Products section of this advisory.

Fixed Software

  * For information about fixed software releases, consult the Cisco bugs
    identified in the Vulnerable Products section of this advisory. Questions
    concerning the Cisco Webex environment can be directed to the Cisco
    Technical Assistance Center (TAC).

    When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page, to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    TAC or their contracted maintenance providers.

Exploitation and Public Announcements

  * The Cisco Product Security Incident Response Team (PSIRT) is aware of
    attempted exploitation of this vulnerability.

Source

  * On August 22, 2018, the Apache Software Foundation publicly disclosed this
    vulnerability in a security bulletin at the following link: https://
    cwiki.apache.org/confluence/display/WW/S2-057

Cisco Security Vulnerability Policy

  * To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy. This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.


Action Links for This Advisory

  * Snort Rule 29639
    Snort Rule 39190
    Snort Rule 39191

Related to This Advisory

  * Apache Struts Namespace Remote Code Execution Vulnerability

URL

  * https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20180823-apache-struts

Revision History


    +-----------------------------------------------------------------------------+
    | Version |     Description     |    Section    | Status  |       Date        |
    |---------+---------------------+---------------+---------+-------------------|
    |         | Updated the         |               |         |                   |
    |         | software            |               |         |                   |
    | 1.11    | availability        | Affected      | Final   | 2018-September-13 |
    |         | information for     | Products      |         |                   |
    |         | vulnerable          |               |         |                   |
    |         | products.           |               |         |                   |
    |---------+---------------------+---------------+---------+-------------------|
    |         | Updated the list of |               |         |                   |
    |         | vulnerable          |               |         |                   |
    |         | products; in the    | Affected      |         |                   |
    | 1.10    | previous version    | Products      | Final   | 2018-September-10 |
    |         | the asterisk was    |               |         |                   |
    |         | inadvertently       |               |         |                   |
    |         | omitted.            |               |         |                   |
    |---------+---------------------+---------------+---------+-------------------|
    |         | Updated the         |               |         |                   |
    |         | software            |               |         |                   |
    | 1.9     | availability        | Affected      | Final   | 2018-September-06 |
    |         | information for     | Products      |         |                   |
    |         | vulnerable          |               |         |                   |
    |         | products.           |               |         |                   |
    |---------+---------------------+---------------+---------+-------------------|
    |         | Updated the lists   |               |         |                   |
    |         | of vulnerable       |               |         |                   |
    |         | products and        | Summary,      |         |                   |
    | 1.8     | products confirmed  | Affected      | Final   | 2018-September-05 |
    |         | not vulnerable.     | Products      |         |                   |
    |         | Removed references  |               |         |                   |
    |         | to ongoing          |               |         |                   |
    |         | investigation.      |               |         |                   |
    |---------+---------------------+---------------+---------+-------------------|
    |         | Updated the lists   |               |         |                   |
    |         | of products under   |               |         |                   |
    |         | investigation,      | Affected      |         |                   |
    | 1.7     | vulnerable          | Products      | Interim | 2018-September-04 |
    |         | products, and       |               |         |                   |
    |         | products confirmed  |               |         |                   |
    |         | not vulnerable.     |               |         |                   |
    |---------+---------------------+---------------+---------+-------------------|
    |         | Updated the lists   |               |         |                   |
    |         | of products under   |               |         |                   |
    |         | investigation,      | Affected      |         |                   |
    | 1.6     | vulnerable          | Products      | Interim | 2018-August-31    |
    |         | products, and       |               |         |                   |
    |         | products confirmed  |               |         |                   |
    |         | not vulnerable.     |               |         |                   |
    |---------+---------------------+---------------+---------+-------------------|
    |         | Updated the lists   |               |         |                   |
    |         | of products under   |               |         |                   |
    |         | investigation,      | Affected      |         |                   |
    | 1.5     | vulnerable          | Products      | Interim | 2018-August-30    |
    |         | products, and       |               |         |                   |
    |         | products confirmed  |               |         |                   |
    |         | not vulnerable.     |               |         |                   |
    |---------+---------------------+---------------+---------+-------------------|
    |         | Updated the lists   |               |         |                   |
    |         | of products under   |               |         |                   |
    |         | investigation,      |               |         |                   |
    |         | vulnerable          | Affected      |         |                   |
    |         | products, and       | Products,     |         |                   |
    | 1.4     | products confirmed  | Exploitation  | Interim | 2018-August-29    |
    |         | not vulnerable,     | and Public    |         |                   |
    |         | updated the         | Announcements |         |                   |
    |         | awareness of        |               |         |                   |
    |         | exploitation        |               |         |                   |
    |         | attempts.           |               |         |                   |
    |---------+---------------------+---------------+---------+-------------------|
    |         | Updated the lists   |               |         |                   |
    |         | of products under   |               |         |                   |
    |         | investigation,      | Summary and   |         |                   |
    | 1.3     | vulnerable          | Affected      | Interim | 2018-August-28    |
    |         | products, and       | Products      |         |                   |
    |         | products confirmed  |               |         |                   |
    |         | not vulnerable.     |               |         |                   |
    |---------+---------------------+---------------+---------+-------------------|
    |         | Updated the lists   |               |         |                   |
    |         | of products under   |               |         |                   |
    |         | investigation,      | Summary and   |         |                   |
    | 1.2     | vulnerable          | Affected      | Interim | 2018-August-28    |
    |         | products, and       | Products      |         |                   |
    |         | products confirmed  |               |         |                   |
    |         | not vulnerable.     |               |         |                   |
    |---------+---------------------+---------------+---------+-------------------|
    |         | Added Snort SIDs.   |               |         |                   |
    |         | Updated the lists   |               |         |                   |
    |         | of products under   | Summary and   |         |                   |
    | 1.1     | investigation,      | Affected      | Interim | 2018-August-24    |
    |         | vulnerable          | Products      |         |                   |
    |         | products, and       |               |         |                   |
    |         | products confirmed  |               |         |                   |
    |         | not vulnerable.     |               |         |                   |
    |---------+---------------------+---------------+---------+-------------------|
    | 1.0     | Initial public      | ?             | Interim | 2018-August-23    |
    |         | release.            |               |         |                   |
    +-----------------------------------------------------------------------------+


Legal Disclaimer

  * THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND
    OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR
    FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT
    OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES
    THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

    A standalone copy or paraphrase of the text of this document that omits the
    distribution URL is an uncontrolled copy and may lack important information
    or contain factual errors. The information in this document is intended for
    end users of Cisco products.

Cisco Security Vulnerability Policy

  * To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy. This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW58+HWaOgq3Tt24GAQhDxQ/+NEHW360+IlQzJIixbrBA+peHEOQRz7A1
f9I/xEYU3BORbnpKQd+RQYzNYV9iAhjrBs35cJyq2R8dK+bIykdjOkyvQjaI41Sv
XNwz6EEk/+OYzxPw+jjARZJT54AXN+FWQ7yB45p+qjl3cT1xcuU79rJycnb87vit
Ze7Z7peOcVlyI/J0zXWzHFg8aMXVDDZtXR7D1wv/PvOoc2ypMjHo8f20VPbl2zja
Td0Qe0liWtbc4lsw8CfBmXofbdZa1lYZETmrFF5x4jUPax+os6//7Ac1OqWQVWKD
cevGAf60TqXf75Kii0IbVncl45fKbwRTMZG4EH3A2U/KMilhJk2F92kZB3TI+NnF
4uQ1bfahe/LlhxchsU717lN1rn3ttx/1xIElgXMTB0pmadfuqUq1Yo0qGv/YLG1J
rR4VxZeSl7yLX6cuMLbXz53Q3udPT2i6vXop9eXCuNd/KS9a2YURn+nZByX8lDEE
oY4KwNxuSzYCFWYZphU1+cuNPw/KeANVLG0XPl/hS9LwQw4+0NJMKQufBZKowUO+
rjU3iPv8U+sSGYaS5hTTuoEBJZLlWizvAY7OFiw8QYB4r7mv0S6lPSzobfzFiYSK
QE3R28jA4J7zu8dO3m9QE7F3DjwIZ+bBSTpD/n/9A1Sid3nxFzpEGKEwWQsb7Scs
Y0yfb8kL92s=
=HteN
-----END PGP SIGNATURE-----

« Back to bulletins