Cisco this week issued a series of updates that patched vulnerabilities in its Prime Infrastructure (PI) and Evolved Programmable Network Manager (EPNM), Virtualized Packet Core - Distributed Instance (VPC-DI), and WebEx Network Recording Player products.
According to Cisco, the vulnerability in the web-based user interface of Cisco PI and EPNM involves the mishandling of XML External Entity entries when parsing an XML file. Authenticated attackers can exploit this high-severity bug by convincing users to import a maliciously crafted XML file. If successful, the attackers are granted read and write access to information stored in the affected system, and can perform remote code execution. The bug, designated, CVE-2017-6662, is found in PI releases 1.1 through 3.1.6 and EPNM software releases 1.2, 2.0, and 2.1.
The VPC-DI bug, designated CVE-2017-6678, is described by Cisco as a denial-of-service vulnerability in the product's ingress UDP packet processing functionality, caused by "insufficient handling of user-supplied data by the affected software." Unauthenticated, remote attackers could exploit this error to create a DoS condition using crafted UDP packets. According to Cisco, "A successful exploit could allow the attacker to cause an unhandled error condition on the affected system, which would cause the CF instances to reload and consequently cause the entire VPC to reload, resulting in the disconnection of all subscribers and a DoS condition on the affected system." VPC-DI software running on any version of the Cisco StarOS operating system released prior to the fix is affected.
The third bug is comprised of a series of buffer overflow vulnerabilities in the Cisco WebEx Network Recording Player for Advanced Recording Format (ARF) files. Attackers who trick users into launching maliciously crafted ARF files can exploit this issue, designated CVE-2017-6669, in order to crash the player and execute arbitrary code.
The US-CERT on June 21 issued an online advisory announcing Cisco's latest security updates.