Network Security, Patch/Configuration Management, Vulnerability Management

Cisco fixes seven bugs, including three critical vulnerabilities

Cisco on Thursday released security updates to fix seven different vulnerabilities – three critical in severity – in its Elastic Services Controller, Ultra Services Framework and Staging Server, and StarOS CLI products.

The ESC bugs consist of an unauthorized access vulnerability in the Play Framework (CVE-2017-6713) and an arbitrary command execution vulnerability (CVE-2017-6712). The first of these is a critical error caused by "static, default credentials for the Cisco ESC UI that are shared between installations," according to a Cisco advisory. Attackers who extract these credentials could then generate an admin session token, giving them full access.

The USF errors include an unauthenticated access vulnerability in the Ultra Automation Service (CVE-2017-6711), an arbitrary command execution vulnerability in the staging server (CVE-2017-6714), a lack of validation checks for the symbolic link (symlink) creation functionality of the AutoVNF tool (CVE-2017-6708), and a user credential disclosure vulnerability in the AutoVNF tool (CVE-2017-6709). These four bugs, the first two of which are considered critical, are founded in all releases prior to 5.0.3 and 5.1.

The critical bug designated CVE-2017-6711 results from an insecure default configuration of the Apache ZooKeeper service, and can be exploited to obtain unauthorized access to a targeted device. The critical bug labeled CVE-2017-6714 is found in the AutoIT service of the staging server, and could allow an unauthenticated, remote attacker to execute arbitrary shell commands as the Linux root user, Cisco warns.

Cisco also reported a vulnerability in the CLI command-parsing code of the Cisco StarOS operating system for Cisco ASR 5000 Series, 5500 Series, and 5700 Series devices as well as its Virtualized Packet Core (VPC) Software (CVE-2017-6707).

The US-CERT also posted an advisory referencing Cisco's updates.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.