Cisco on Thursday released security updates to fix seven different vulnerabilities – three critical in severity – in its Elastic Services Controller, Ultra Services Framework and Staging Server, and StarOS CLI products.
The ESC bugs consist of an unauthorized access vulnerability in the Play Framework (CVE-2017-6713) and an arbitrary command execution vulnerability (CVE-2017-6712). The first of these is a critical error caused by "static, default credentials for the Cisco ESC UI that are shared between installations," according to a Cisco advisory. Attackers who extract these credentials could then generate an admin session token, giving them full access.
The USF errors include an unauthenticated access vulnerability in the Ultra Automation Service (CVE-2017-6711), an arbitrary command execution vulnerability in the staging server (CVE-2017-6714), a lack of validation checks for the symbolic link (symlink) creation functionality of the AutoVNF tool (CVE-2017-6708), and a user credential disclosure vulnerability in the AutoVNF tool (CVE-2017-6709). These four bugs, the first two of which are considered critical, are founded in all releases prior to 5.0.3 and 5.1.
The critical bug designated CVE-2017-6711 results from an insecure default configuration of the Apache ZooKeeper service, and can be exploited to obtain unauthorized access to a targeted device. The critical bug labeled CVE-2017-6714 is found in the AutoIT service of the staging server, and could allow an unauthenticated, remote attacker to execute arbitrary shell commands as the Linux root user, Cisco warns.
Cisco also reported a vulnerability in the CLI command-parsing code of the Cisco StarOS operating system for Cisco ASR 5000 Series, 5500 Series, and 5700 Series devices as well as its Virtualized Packet Core (VPC) Software (CVE-2017-6707).
The US-CERT also posted an advisory referencing Cisco's updates.