Cisco Products Receive Patches for Critical Struts Vulnerability

Cisco Systems has released patches for some of its products that use the Apache Struts web development framework and are affected by a recently announced critical vulnerability.

The flaw, tracked as CVE-2018-11776, was patched in Apache Struts two weeks ago and was quickly followed by proof-of-concept exploits and in-the-wild attacks. Struts is a popular framework for developing Java-based enterprise web applications and is also used in products from various vendors.

Cisco identified vulnerable versions of the framework in the following products: SocialMiner, Prime Service Catalog, Identity Services Engine (ISE), Emergency Responder, Finesse, Hosted Collaboration Solution for Contact Center, MediaSense, Unified Communications Manager IM & Presence Service (formerly CUPS), Unified Communications Manager, Unified Contact Center Enterprise – Live Data server, Unified Contact Center Enterprise, Unified Contact Center Express, Unified Intelligence Center, Unified Intelligent Contact Management Enterprise, Unified SIP Proxy Software, Unified Survivable Remote Site Telephony Manager, Cisco Unity Connection, Virtualized Voice Browser, Video Distribution Suite for Internet Streaming (VDS-IS) and Cisco Network Performance Analysis.

Patches are already available for some of those products, but not all of them. Also, not all products are vulnerable in the same way because of differences in how they use the library. A Cisco advisory contains a detailed table of affected products.

“The vulnerability exists because the affected software insufficiently validates user-supplied input, allowing the use of results with no namespace value and the use of url tags with no value or action,” Cisco said in its advisory. “In cases where upper actions or configurations also have no namespace or a wildcard namespace, an attacker could exploit this vulnerability by sending a request that submits malicious input to the affected application for processing. If successful, the attacker could execute arbitrary code in the security context of the affected application on the targeted system.”

Products that haven’t yet received patches can be protected from attacks using Snort rules 29639, 39190, 39191, and 47634.

Apache Struts vulnerabilities have been exploited by hackers in the past to install cryptocurrency mining malware on servers, but also to steal data. The massive data breach at Equifax announced last year was caused by an unpatched Apache Struts vulnerability.

In addition to patching Struts flaws on their own servers and applications, companies should also check if the third-party products they use from other vendors include the framework. It usually takes some time until major software companies go through their product portfolios to identify and patch products affected by flaws in open source components and libraries.

On Wednesday, Cisco also patched a critical vulnerability in the API of the Cisco Umbrella service that could allow authenticated users to view and modify data across other organizations they’re not part of.

A critical remote code execution vulnerability was also identified and patched in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router and Cisco RV215W Wireless-N VPN Router. The flaw is caused by a buffer overflow in the processing of user-supplied input from a Guest user.

Serious Vulnerabilities Patched in DevOps Tool Opsview Monitor

Opsview Monitor, a tool used by DevOps teams to monitor hybrid IT infrastructure and apps, received patches for several vulnerabilities that could potentially allow attackers to take control of the system.

Opsview Monitor is a virtual appliance that can be deployed inside an organization’s network to monitor services using Docker, VMware, Amazon Web Services, Hyper-V and other technologies. The appliance has a web-based Management Console that allows managing and monitoring hosts.

The vulnerabilities were found by researchers from Core Security and range from cross-site scripting to remote command execution and privilege escalation.

Some vulnerabilities “could be abused to execute malicious JavaScript code in the context of a legitimate user,” the Core researchers said in an advisory. Other issues “could allow an attacker to obtain command execution on the system as the nagios user. Finally, the issue found in one of the scripts run during the boot process […] would allow attackers to elevate their privileges from nagios user to root after a system restart, hence obtaining full control of the appliance.”

The vulnerabilities were patched in Opsview Monitor 5.3.1, 5.4.2 and 6.0.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin