New Patches Address Critical Vulnerability Points in Cisco Systems
Cisco recently issued patches to address critical vulnerability points in multiple systems, eliminating exploits in two collaboration platforms and appliances that incorporate the company’s FirePOWER security service modules.
According to Computerworld, the platforms and systems affected are Cisco’s Telepresence Codec software, Collaboration Endpoint software and FirePOWER System software, wherein the company identified a pair of separate hacking vectors.
Critical Vulnerability Identified in Telepresence Software
In the Telepresence software instances, cybercriminals discovered how to access system configuration and command functionality by creating HTTP requests, thereby avoiding authentication safeguards within Codec’s and Collaboration Endpoint’s XML application programming interface (API).
The exploit compromises the following devices:
- TelePresence EX Series;
- TelePresence Integrator C Series;
- TelePresence MX Series;
- TelePresence Profile Series;
- TelePresence SX Series;
- TelePresence SX Quick Set Series;
- TelePresence VX Clinical Assistant; and
- TelePresence VX Tactical.
Cisco suggests that if clients are unable to immediately install the issued patches, the vulnerabilities can be temporarily addressed by disabling the Telepresence software’s XML API. That solution, however, will disable some product features until the patches are installed.
Other Shortcomings in FirePOWER System
The FirePOWER system issues create a critical vulnerability for denial-of-service attacks; malicious programmers can stop the security modules from inspecting, processing and responding to packets.
Devices compromised include the following:
- Cisco FirePOWER 7000 Series Appliances;
- Cisco FirePOWER 8000 Series Appliances;
- Cisco Advanced Malware Protection for Networks running on Cisco FirePOWER 7000 Series appliances;
- Cisco Advanced Malware Protection for Networks running on Cisco FirePOWER 8000 Series appliances;
- The Adaptive Security Appliance 5585-X FirePOWER Security Services Processor module.
Open SSL Project Updates Impact Cisco Projects
The new patches come while Cisco is working to identify products that could be affected by last week’s OpenSSL Project announcement as well. The project is effectively patching its own vulnerabilities — one OpenSSL patch stops a man-in-the-middle exploit that could allow malicious hackers to decrypt traffic, as reported by SecurityWeek.
Another significant weak spot involves a bug that creates intrusion vectors around large universal tags. In this instance, cyberattackers could corrupt system memory, causing crashes and/or opening avenues where they can execute arbitrary code.
Cisco will issue advisory updates around the OpenSSL patches as its investigation of potentially impacted products continues.