• United States



Senior Editor

Cisco runs out two “critical” security warnings for IOS, Apache Struts (again)

News Analysis
Apr 14, 20173 mins
Cisco SystemsCyberattacksInternet Security

Cisco today issued two “critical” security advisories, one for Cisco IOS and Cisco IOS XE Software, the other for the ongoing discovery of problems with Apache Struts2.

The IOS vulnerability is in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software which could let an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges, Cisco stated.

+More on Network World: Cisco targets digital business transformation with new certifications+

The list of potential switches and software under this warning is extensive and covers everything from the Cisco Catalyst 2350-48TD-S Switch to the Cisco SM-X Layer 2/3 EtherSwitch Service Module.

“The Cluster Management Protocol utilizes Telnet internally as a signaling and command protocol between cluster members. The vulnerability is due to the combination of two factors: The failure to restrict the use of CMP-specific Telnet options only to internal, local communications between cluster members and instead accept and process such options over any Telnet connection to an affected device, and the incorrect processing of malformed CMP-specific Telnet options.

An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections. An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device,” Cisco wrote.

+More on Network World: DARPA semantic program seeks to glean truth from obfuscation+

Cisco said it will release software to address this vulnerability but there are no workarounds at this point.

As for the other critical warning, Cisco wrote that On March 6, 2017, Apache disclosed a vulnerability in the Jakarta Multipart parser used in Apache Struts2 that could allow an attacker to execute commands remotely on a targeted system by using acrafted “Content-Type, Content-Disposition, or Content-Length” value.

At this point, Cisco said is continuing to investigate its product line to determine which products may be affected by this vulnerability and the impact on each affected product. The products Cisco says are affected include it Cisco SocialMiner, Identity Services Engine (ISE), Prime License Manager and others. A complete list can be found here.

Since March Cisco has issued a variety of warnings on the Apache problem.

On March 16, Cisco’s security team called another weakness in Apache Struts “critical” and published a list of vulnerable products. Among them, Cisco Unified Communications Manager IM & Presence Service; Cisco Unified Communications Manager Session Management Edition; and Cisco Unified Communications Manager – all have patches available to address those problems, Cisco said.