Cisco Smart Switches Riddled with Severe Security Holes
Reading Time: 1 Minute
Cisco has flagged and patched several high-severity security vulnerabilities in its Cisco Small Business 220 Series Smart Switches that could allow session hijacking, arbitrary code execution, cross-site scripting and HTML injection.
It also issued fixes for high-severity problems in the AnyConnect secure mobility client, the Cisco DNA Center and the Cisco Email Security Appliance, along with a slew of patches for medium-severity vulnerabilities in AnyConnect, Jabber, Meeting Server, Unified Intelligence Center and Webex.
The high-severity issues are as follows:
- CVE-2021-1566: Cisco Email Security Appliance and Cisco Web Security Appliance (Certificate-Validation Vulnerability)
- CVE-2021-1134: Cisco DNA Center (Certificate Validation Vulnerability)
- CVE-2021-1541 through 1543; CVE-2021-1571: Cisco Small Business 220 Series Smart Switches (Session Hijacking, Arbitrary Code-Execution, Cross-Site Scripting, HTML Injection)
- CVE-2021-1567: Cisco AnyConnect Secure Mobility Client for Windows with VPN Posture (HostScan) Module (DLL Hijacking)
The most severe issue in this crop of patches is tracked as CVE-2021-1542, in the Cisco Small Business 220 Series Smart Switches. These are entry-level switches that act as the basic building blocks for small- and medium-sized business networks. They’re responsible for sharing network resources and connecting various clients, including computers, printers and servers, to the network and each other, along with security, governing network performance and more.
See Also: RockYou2021: largest password compilation of all time leaked online – 8.4 billion entries
The bug rates 7.5 on the 10-point CVSS vulnerability-severity scale, and arises from weak session management for the web-based management interface of the switches. An unauthenticated, remote attacker could use it to bypass authentication protections and gain unauthorized access to the interface, according to the advisory. The attacker could then obtain the privileges of the highjacked session account, which could include administrative privileges, and thus gain free rein on the switch.
“This vulnerability is due to the use of weak session management for session identifier values,” according to Cisco. “An attacker could exploit this vulnerability by using reconnaissance methods to determine how to craft a valid session identifier. A successful exploit could allow the attacker [to] take actions within the management interface with privileges up to the level of the administrative user.”
Multiple Patches for Smart Switches
There are also multiple other security flaws in the same web-management interface. For instance, the bug tracked as CVE-2021-1541 is an arbitrary code-execution vulnerability that would allow an authenticated, remote attacker to execute arbitrary commands as a root user on the underlying operating system.
“This vulnerability is due to a lack of parameter validation for TFTP configuration parameters,” according to Cisco. “An attacker could exploit this vulnerability by entering crafted input for specific TFTP configuration parameters. A successful exploit could allow the attacker to execute arbitrary commands as a root user on the underlying operating system.”
See Also: Offensive Security Tool: CloudFail
The attacker must have valid administrative credentials on the device in order to exploit the issue, so the CVSS score comes in at 7.2 rather than critical.
The issue tracked as CVE-2021-1543, meanwhile, allows cross-site scripting from an unauthenticated, remote attacker (CVSS score: 6.1).
“This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected device,” according to Cisco. “An attacker could exploit this vulnerability by persuading a user to click a malicious link and access a specific page. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information and redirect the user to an arbitrary page.”
And finally, CVE-2021-1571 (rating 6.1 on the CVSSscale) could allow an unauthenticated, remote attacker to conduct a HTML injection attack.
“This vulnerability is due to improper checks of parameter values in affected pages,” according to the advisory. “An attacker could exploit this vulnerability by persuading a user to follow a crafted link that is designed to pass HTML code into an affected parameter. A successful exploit could allow the attacker to alter the contents of a web page to redirect the user to potentially malicious websites.”
See Also: Jeff Moss, aka Dark Tangent, the person who founded DEF CON and Black Hat
Cisco’s Other High-Severity Security Holes
The other high-severity bugs that Cisco addressed on Wednesday include the certificate-validation vulnerability (CVE-2021-1566) in the Cisco Email Security Appliance (ESA) and Cisco Web Security Appliance (WSA). It exists in the way the Cisco Advanced Malware Protection (AMP) for Endpoints integrates Cisco AsyncOS. If exploited, the bug could allow an unauthenticated, remote attacker to intercept traffic between an affected device and the AMP servers. It rates 7.4 on the 10-point CVSS bug-severity scale.
“This vulnerability is due to improper certificate validation when an affected device establishes TLS connections,” according to the advisory. “A man-in-the-middle attacker could exploit this vulnerability by sending a crafted TLS packet to an affected device. A successful exploit could allow the attacker to spoof a trusted host and then extract sensitive information or alter certain API requests.”
The bug (CVE-2021-1134) in the Cisco DNA Center, a network controller and management dashboard, also rates 7.4. It exists in the Cisco Identity Services Engine (ISE) integration feature of the software, and could also allow an unauthenticated, remote attacker to gain unauthorized access to sensitive data.
“The vulnerability is due to an incomplete validation of the X.509 certificate used when establishing a connection between DNA Center and an ISE server,” according to the advisory. “An attacker could exploit this vulnerability by supplying a crafted certificate and could then intercept communications between the ISE and DNA Center. A successful exploit could allow the attacker to view and alter sensitive information that the ISE maintains about clients that are connected to the network.”
And finally, a vulnerability (CVE-2021-1567) in the DLL loading mechanism of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to perform a DLL hijacking attack.
It’s only exploitable if the VPN Posture (HostScan) Module is installed on the AnyConnect client, and it carries a 7.0 CVSS rating. VPN Posture helps to gather information about what operating system, antivirus, antispyware and other installed software is present on remote hosts, and it performs endpoint assessment while allowing a connection to the VPN.
“This vulnerability is due to a race condition in the signature verification process for DLL files that are loaded on an affected device,” according to Cisco. “An attacker could exploit this vulnerability by sending a series of crafted interprocess communication (IPC) messages to the AnyConnect process. A successful exploit could allow the attacker to execute arbitrary code on the affected device with SYSTEM privileges. To exploit this vulnerability, the attacker must have valid credentials on the Windows system.”
Medium-Severity Cisco Security Patches
The networking giant also addressed the following medium-severity issues:
- CVE-2021-1524: Cisco Meeting Server API (Denial of Service Vulnerability
- CVE-2021-1569 and CVE-2021-1570: Cisco Jabber Desktop and Mobile Client Software Vulnerabilities
- CVE-2021-1395: Cisco Unified Intelligence Center (Reflected XSS)
- CVE-2021-1568: Cisco AnyConnect Secure Mobility Client for Windows (DoS)
- CVE-2021-1242: Cisco Jabber and Webex Client Software (Shared File Manipulation)
Patching and affected-version information is available in each of the advisories.
Source: threatpost.com