Cisco Patches Critical Flaws in IOS XE and Prime Collaboration Provisioning

Cisco Systems has released a new set of patches this week for a variety of products, including updates for IOS XE and Prime Collaboration Provisioning that fix two critical vulnerabilities.

The Cisco IOS XE Software, the company’s operating system for networking devices such as routers, has a critical flaw in its authentication, authorization and accounting (AAA) security services.

The flaw stems from the incorrect parsing of usernames during the authentication process and can be exploited by unauthenticated, remote attackers to execute arbitrary code on the affected devices or to cause devices to reload, leading to a denial of service condition.

“This vulnerability affects Cisco devices that are running Cisco IOS XE Software Release Fuji 16.7.1 or Fuji 16.8.1 and are configured to use AAA for login authentication,” Cisco said in an advisory. Users should update to Fuji 16.7.2, Fuji 16.8.1c, and Fuji 16.8.1s.

The critical vulnerability in Cisco Prime Collaboration Provisioning (PCP) is caused by an open port in the Network Interface and Configuration Engine (NICE) service, which provides attackers with access to the Java Remote Method Invocation (RMI) system. This allows them to perform malicious actions through the RMI.

PCP allows customers to easily install and maintain Cisco Unified Communications and Cisco TelePresence components. The flaw affects PCP releases 11.6 and older and has been fixed in releases 12.1 and later.

In addition to this critical vulnerability, Cisco has fixed five other high-risk flaws in PCP this week, ranging from access control bypass to unauthorized password reset, arbitrary command execution and SQL injection.

The company also fixed high-risk vulnerabilities in its Web Security Appliance; Identity Services Engine; Network Services Orchestrator; IP Phone 6800, 7800 and 8800 Series; Cisco Meeting Server and Adaptive Security Appliance.

U.S. Think Tanks Targeted by Patchwork Cyberespionage Group

An Indian APT group known as Patchwork or Dropping Elephant that historically has targeted organizations in China and South Asia has recently pivoted and now appears to be targeting U.S.-based think tanks.

“In three observed spear phishing campaigns, the threat actors leveraged domains and themes mimicking those of well-known think tank organizations in the United States,” researchers from Volexity said in a blog post. “The group lifted articles and themes from the Council on Foreign Relations (CFR), the Center for Strategic and International Studies (CSIS) and the Mercator Institute for China Studies (MERICS) for use in their spear phishing lures and malicious Rich Text Format (RTF) documents.”

The malicious documents contained an exploit for the CVE-2017-8750 vulnerability in the form of a scriptlet. This vulnerability affects Microsoft’s browsers and was patched in December. If successful, the exploit installs QuasarRAT, an open source remote access trojan that might be used to make attribution harder.

The attackers apparently also have started recording which recipients open their phishing emails, which allows them to if their messages have been delivered and who is more susceptible to opening them. This technique also allows them to collect information about the targets such as operating system and email client or browser used.

“The addition of U.S.-based think tanks to the list of organizations in the crosshairs of Patchwork shows an increasing diversity in the geographic regions being targeted,” the Volexity researchers said. “While there were a few peculiar components to some of the spear phish messages, the campaigns and themes were strategically relevant to the organizations being targeted.”

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin