Network Security, Patch/Configuration Management, Vulnerability Management

Cisco fixes multiple product bugs to prevent malicious code execution, DoS conditions

Cisco this week issued a series of updates that patched vulnerabilities in its Prime Infrastructure (PI) and Evolved Programmable Network Manager (EPNM), Virtualized Packet Core - Distributed Instance (VPC-DI), and WebEx Network Recording Player products.

According to Cisco, the vulnerability in the web-based user interface of Cisco PI and EPNM involves the mishandling of XML External Entity entries when parsing an XML file. Authenticated attackers can exploit this high-severity bug by convincing users to import a maliciously crafted XML file. If successful, the attackers are granted read and write access to information stored in the affected system, and can perform remote code execution. The bug, designated, CVE-2017-6662, is found in PI releases 1.1 through 3.1.6 and EPNM software releases 1.2, 2.0, and 2.1.

The VPC-DI bug, designated CVE-2017-6678, is described by Cisco as a denial-of-service vulnerability in the product's ingress UDP packet processing functionality, caused by "insufficient handling of user-supplied data by the affected software." Unauthenticated, remote attackers could exploit this error to create a DoS condition using crafted UDP packets. According to Cisco, "A successful exploit could allow the attacker to cause an unhandled error condition on the affected system, which would cause the CF instances to reload and consequently cause the entire VPC to reload, resulting in the disconnection of all subscribers and a DoS condition on the affected system." VPC-DI software running on any version of the Cisco StarOS operating system released prior to the fix is affected.

The third bug is comprised of a series of buffer overflow vulnerabilities in the Cisco WebEx Network Recording Player for Advanced Recording Format (ARF) files. Attackers who trick users into launching maliciously crafted ARF files can exploit this issue, designated CVE-2017-6669, in order to crash the player and execute arbitrary code.

The US-CERT on June 21 issued an online advisory announcing Cisco's latest security updates.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.