Feed aggregator

Multiple Vulnerabilities in Cisco WebEx Recording Format and Advanced Recording Format Players

Cisco Security Advisories - Wed, 2017-11-29 14:45
Multiple vulnerabilities exist in Cisco WebEx Network Recording Player for Advanced Recording Format (ARF) and WebEx Recording Format (WRF) files. A remote attacker could exploit these vulnerabilities by providing a user with a malicious ARF or WRF file via email or URL and convincing the user to launch the file. Exploitation of these vulnerabilities could cause an affected player to crash and, in some cases, could allow arbitrary code execution on the system of a targeted user.

The Cisco WebEx players are applications that are used to play back WebEx meeting recordings that have been recorded by an online meeting attendee. The player can be automatically installed when the user accesses a recording file that is hosted on a WebEx server.

Cisco has updated affected versions of the Cisco WebEx Business Suite meeting sites, Cisco WebEx Meetings sites, Cisco WebEx Meetings Server, and Cisco WebEx ARF and WRF Players to address these vulnerabilities. There are no workarounds that address these vulnerabilities.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171129-webex-players
Security Impact Rating: Critical
CVE: CVE-2017-12367,CVE-2017-12368,CVE-2017-12369,CVE-2017-12370,CVE-2017-12371,CVE-2017-12372
Categories: Security Alerts

Cisco Secure Access Control System Information Disclosure Vulnerability

Cisco Security Advisories - Wed, 2017-11-29 14:00
A vulnerability in the web-based interface of Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote attacker to view sensitive information on an affected system.

The vulnerability exists because the affected software does not sufficiently protect system software version information when the software responds to HTTP requests that are sent to the web-based interface of the software. An attacker could exploit this vulnerability by sending crafted HTTP requests to the web-based interface of the affected software. A successful exploit could allow the attacker to view sensitive information about the software, which the attacker could use to conduct additional reconnaissance attacks.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171129-acs
Security Impact Rating: Medium
CVE: CVE-2017-12354
Categories: Security Alerts

Cisco WebEx Meeting Center URL Redirection Vulnerability

Cisco Security Advisories - Wed, 2017-11-29 14:00
A vulnerability in Cisco WebEx Meeting Center could allow an authenticated, remote attacker to initiate connections to arbitrary hosts.

The vulnerability is due to insufficient access control for HTTP traffic directed to the Cisco WebEx Meeting Center. An attacker could exploit this vulnerability by sending a malicious URL to the Cisco WebEx Meeting Center. An exploit could allow the attacker to connect to arbitrary hosts.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171129-wmc
Security Impact Rating: Medium
CVE: CVE-2017-12297
Categories: Security Alerts

Cisco WebEx Meeting Center Cross-Site Scripting Vulnerability

Cisco Security Advisories - Wed, 2017-11-29 14:00
A vulnerability in Cisco WebEx Meeting Center could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of an affected system.

The vulnerability is due to insufficient input validation of some parameters that are passed to the web server of the affected system. An attacker could exploit this vulnerability by convincing a user to follow a malicious link or by intercepting a user request and injecting malicious code into the request. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected web interface or allow the attacker to access sensitive browser-based information.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171129-webex5
Security Impact Rating: Medium
CVE: CVE-2017-12366
Categories: Security Alerts

Cisco WebEx Event Center Information Disclosure Vulnerability

Cisco Security Advisories - Wed, 2017-11-29 14:00
A vulnerability in Cisco WebEx Event Center could allow an authenticated, remote attacker to view unlisted meeting information.

The vulnerability is due to a design flaw in the product. An attacker could execute a query on an Event Center site to view scheduled meetings. A successful query would show both listed and unlisted meetings in the displayed information. An attacker could use this information to attend meetings that are not available for their attendance.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171129-webex4
Security Impact Rating: Medium
CVE: CVE-2017-12365
Categories: Security Alerts

Cisco WebEx Meeting Server Unauthorized Welcome Message Modification Vulnerability

Cisco Security Advisories - Wed, 2017-11-29 14:00
A vulnerability in Cisco WebEx Meeting Server could allow an unauthenticated, remote attacker to modify the welcome message of a meeting on an affected system.

The vulnerability is due to insufficient security settings on meetings. An attacker could exploit this vulnerability by modifying the welcome message to a meeting. A successful exploit could allow the attacker to modify the welcome message of any known meeting.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171129-webex3
Security Impact Rating: Medium
CVE: CVE-2017-12363
Categories: Security Alerts

Cisco WebEx Network Recording Player Denial of Service Vulnerability

Cisco Security Advisories - Wed, 2017-11-29 14:00
A vulnerability in Cisco WebEx Network Recording Player for WebEx Recording Format (WRF) files could allow an attacker to cause a denial of service (DoS) condition. An attacker could exploit this vulnerability by providing a user with a malicious WRF file via email or URL and convincing the user to open the file. A successful exploit could cause an affected player to crash, resulting in a DoS condition.

Cisco WebEx players are applications that are used to play back WebEx meeting recordings that have been recorded by an online meeting attendee. The player can be automatically installed when the user accesses a recording file that is hosted on a WebEx server.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171129-webex1
Security Impact Rating: Medium
CVE: CVE-2017-12360
Categories: Security Alerts

Cisco WebEx Network Recording Player Buffer Overflow Vulnerability

Cisco Security Advisories - Wed, 2017-11-29 14:00
A vulnerability in Cisco WebEx Network Recording Player for Advanced Recording Format (.arf) files could allow an attacker to execute arbitrary code on a system. An attacker could exploit this vulnerability by providing a user with a malicious .arf file via email or URL and convincing the user to launch the file. Exploitation of this vulnerability could allow arbitrary code execution on the system of the targeted user.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171129-webex
Security Impact Rating: Medium
CVE: CVE-2017-12359
Categories: Security Alerts

Multiple Vulnerabilities in Cisco UCS Central Software

Cisco Security Advisories - Wed, 2017-11-29 14:00
Multiple vulnerabilities in the web-based management interface of Cisco UCS Central Software could allow a remote attacker to conduct a cross-site scripting (XSS) attack against a user of the affected interface or hijack a valid session ID from a user of the affected interface.

For more information about these vulnerabilities, see the “Details” section of this security advisory.

There are no workarounds that address these vulnerabilities.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171129-ucs-central
Security Impact Rating: Medium
CVE: CVE-2017-12348,CVE-2017-12349
Categories: Security Alerts

Cisco Multilayer Director, Nexus 7000 Series, and Nexus 7700 Series Switches Bash Shell Unauthorized Access Vulnerability

Cisco Security Advisories - Wed, 2017-11-29 14:00
A vulnerability in Cisco NX-OS System Software running on Cisco MDS Multilayer Director Switches, Cisco Nexus 7000 Series Switches, and Cisco Nexus 7700 Series Switches could allow an authenticated, local attacker to access the Bash shell of an affected device's operating system, even if the Bash shell is disabled on the system.

The vulnerability is due to insufficient sanitization of user-supplied parameters that are passed to certain functions of the Python scripting sandbox of the affected system. An attacker could exploit this vulnerability to escape the scripting sandbox and enter the Bash shell of the operating system with the privileges of the authenticated user for the affected system. To exploit this vulnerability, the attacker must have local access to the affected system and be authenticated to the affected system with administrative or Python execution privileges.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171129-switch
Security Impact Rating: Medium
CVE: CVE-2017-12340
Categories: Security Alerts

Cisco Prime Service Catalog SQL Injection Vulnerability

Cisco Security Advisories - Wed, 2017-11-29 14:00
A vulnerability in the web framework of Cisco Prime Service Catalog could allow an unauthenticated, remote attacker to execute unauthorized Structured Query Language (SQL) queries.

The vulnerability is due to a failure to validate user-supplied input that is used in SQL queries. An attacker could exploit this vulnerability by sending a crafted SQL statement to an affected system. Successful exploitation could allow the attacker to read entries in some database tables.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171129-prime
Security Impact Rating: Medium
CVE: CVE-2017-12364
Categories: Security Alerts

Cisco Nexus Series Switches Open Agent Container Code Execution Vulnerability

Cisco Security Advisories - Wed, 2017-11-29 14:00
A vulnerability in the Open Agent Container (OAC) feature of Cisco Nexus Series Switches could allow an unauthenticated, local attacker to read and send packets outside the scope of the OAC.

The vulnerability is due to insufficient internal security measures in the OAC feature. An attacker could exploit this vulnerability by crafting specific packets for communication on the device-internal network. A successful exploit could allow the attacker to run code on the underlying host operating system.

OAC is not enabled by default. For a device to be vulnerable, an administrator would need to install and activate this feature.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171129-nxos9
Security Impact Rating: Medium
CVE: CVE-2017-12342
Categories: Security Alerts

Cisco NX-OS System Software Patch Installation Command Injection Vulnerability

Cisco Security Advisories - Wed, 2017-11-29 14:00
A vulnerability in the CLI of Cisco NX-OS System Software could allow an authenticated, local attacker to perform a command injection attack. An attacker would need valid administrator credentials to perform this exploit.

The vulnerability is due to insufficient input validation during the installation of a software patch. An attacker could exploit this vulnerability by installing a crafted patch image with the vulnerable operation occurring prior to patch activation. An exploit could allow the attacker to execute arbitrary commands on an affected system as root.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171129-nxos8
Security Impact Rating: Medium
CVE: CVE-2017-12341
Categories: Security Alerts

Cisco NX-OS System Software CLI Command Injection Vulnerability

Cisco Security Advisories - Wed, 2017-11-29 14:00
A vulnerability in the CLI of Cisco NX-OS System Software could allow an authenticated, local attacker to perform a command injection attack.

The vulnerability is due to insufficient input validation of command arguments to the CLI parser. An attacker could exploit this vulnerability by injecting crafted command arguments into a vulnerable CLI command. An exploit could allow the attacker to execute arbitrary commands at the user's privilege level. On products that support multiple virtual device contexts (VDCs), this vulnerability could allow the attacker to execute commands at the user's privilege level outside the user's environment.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171129-nxos7
Security Impact Rating: Medium
CVE: CVE-2017-12339
Categories: Security Alerts

Cisco NX-OS System Software CLI Arbitrary File Read Vulnerability

Cisco Security Advisories - Wed, 2017-11-29 14:00
A vulnerability in the CLI of Cisco NX-OS System Software could allow an authenticated, local attacker to read the contents of arbitrary files.

The vulnerability is due to insufficient input validation for a specific CLI command. An attacker could exploit this vulnerability by issuing a crafted command on the CLI. An exploit could allow the attacker unauthorized access to read arbitrary files on the underlying local file system. On products that support multiple virtual device contexts (VDCs), this vulnerability could allow an attacker to read files from any VDC.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171129-nxos6
Security Impact Rating: Medium
CVE: CVE-2017-12338
Categories: Security Alerts

Cisco NX-OS System Software Interactive TCL Shell Escape Vulnerability

Cisco Security Advisories - Wed, 2017-11-29 14:00
A vulnerability in the TCL scripting subsystem of Cisco NX-OS System Software could allow an authenticated, local attacker to escape the interactive TCL shell and gain unauthorized access to the underlying operating system of the device.

The vulnerability exists due to insufficient input validation of user-supplied files passed to the interactive TCL shell of the affected device. An attacker could exploit this vulnerability to escape the scripting sandbox and execute arbitrary commands on the underlying operating system with the privileges of the authenticated user.

To exploit this vulnerability, an attacker must have local access and be authenticated to the targeted device with administrative or tclsh execution privileges.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171129-nxos5
Security Impact Rating: Medium
CVE: CVE-2017-12336
Categories: Security Alerts

Cisco NX-OS System Software CLI Command Injection Vulnerability

Cisco Security Advisories - Wed, 2017-11-29 14:00
A vulnerability in the CLI of Cisco NX-OS System Software could allow an authenticated, local attacker to perform a command injection attack.

The vulnerability is due to insufficient input validation of command arguments. An attacker could exploit this vulnerability by injecting crafted command arguments into a vulnerable CLI command and gain unauthorized access to the underlying operating system of the device. An exploit could allow the attacker to execute arbitrary commands at the user’s privilege level. On products that support multiple virtual device contexts (VDCs), this vulnerability could allow an attacker to execute commands at the user’s privilege level outside the user’s environment.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171129-nxos4
Security Impact Rating: Medium
CVE: CVE-2017-12335
Categories: Security Alerts

Cisco NX-OS System Software CLI Command Injection Vulnerability

Cisco Security Advisories - Wed, 2017-11-29 14:00
A vulnerability in the CLI of Cisco NX-OS System Software could allow an authenticated, local attacker to perform a command injection attack. An attacker would need valid administrator credentials to perform this exploit.

The vulnerability is due to insufficient input validation of command arguments. An attacker could exploit this vulnerability by injecting crafted command arguments into a vulnerable CLI command. An exploit could allow the attacker to execute arbitrary commands as root.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171129-nxos3
Security Impact Rating: Medium
CVE: CVE-2017-12334
Categories: Security Alerts

Cisco NX-OS System Software Image Signature Bypass Vulnerability

Cisco Security Advisories - Wed, 2017-11-29 14:00
A vulnerability in Cisco NX-OS System Software could allow an authenticated, local attacker to bypass signature verification when loading a software image.

The vulnerability is due to insufficient NX-OS signature verification for software images. An authenticated, local attacker could exploit this vulnerability to bypass signature verification and load a crafted, unsigned software image on a targeted device. The attacker would need valid administrator credentials to perform this exploit.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171129-nxos2
Security Impact Rating: Medium
CVE: CVE-2017-12333
Categories: Security Alerts

Cisco NX-OS System Software Guest Shell Unauthorized Internal Interface Access Vulnerability

Cisco Security Advisories - Wed, 2017-11-29 14:00
A vulnerability in the guest shell feature of Cisco NX-OS System Software could allow an authenticated, local attacker to read and send packets outside the scope of the guest shell container. An attacker would need valid administrator credentials to perform this attack.

The vulnerability is due to insufficient internal security measures in the guest shell feature. An attacker could exploit this vulnerability by sending or receiving packets on the device-internal network outside of the guest shell container.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171129-nxos10
Security Impact Rating: Medium
CVE: CVE-2017-12351
Categories: Security Alerts

Pages

Subscribe to Willing Minds aggregator