Feed aggregator

Cisco SD-WAN vManage Software Information Disclosure Vulnerability

Cisco Security Advisories - Wed, 2022-04-13 16:00
<p>A vulnerability in the History API of Cisco&nbsp;SD-WAN vManage Software could allow an authenticated, remote attacker to gain access to sensitive information on an affected system.</p> <p>This vulnerability is due to insufficient API authorization checking on the underlying operating system. An attacker could exploit this vulnerability by sending a crafted API request to Cisco&nbsp;vManage as a lower-privileged user and gaining access to sensitive information that they would not normally be authorized to access.</p> <p>Cisco&nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.</p> <p>This advisory is available at the following link:<br><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-vman-infodis-73sHJNEq" target="_blank">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-vman-infodis-73sHJNEq</a></p>
Security Impact Rating: Medium
CVE: CVE-2022-20747
Categories: Security Alerts

Cisco SD-WAN vEdge Routers Denial of Service Vulnerability

Cisco Security Advisories - Wed, 2022-04-13 16:00
<p>A vulnerability in the NETCONF process of Cisco&nbsp;SD-WAN vEdge Routers could allow an authenticated, local attacker to cause an affected device to run out of memory, resulting in a denial of service (DoS) condition.</p> <p>This vulnerability is due to insufficient memory management when an affected device receives large amounts of traffic. An attacker could exploit this vulnerability by sending malicious traffic to an affected device. A successful exploit could allow the attacker to cause the device to crash, resulting in a DoS condition.</p> <p>Cisco&nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.</p> <p>This advisory is available at the following link:<br><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-vedge-dos-jerVm4bB" target="_blank">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-vedge-dos-jerVm4bB</a></p>
Security Impact Rating: Medium
CVE: CVE-2022-20717
Categories: Security Alerts

Cisco SD-WAN vManage Software Privilege Escalation Vulnerability

Cisco Security Advisories - Wed, 2022-04-13 16:00
<p>A vulnerability in the CLI of Cisco&nbsp;SD-WAN vManage Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system as the <em>root</em> user. The attacker must be authenticated on the affected system as a low-privileged user to exploit this vulnerability.</p> <p>This vulnerability exists because a file leveraged by a <em>root</em> user is executed when a low-privileged user runs specific commands on an affected system. An attacker could exploit this vulnerability by injecting arbitrary commands to a specific file as a lower-privileged user and then waiting until an admin user executes specific commands. The commands would then be executed on the device by the <em>root</em> user. A successful exploit could allow the attacker to escalate their privileges on the affected system from a low-privileged user to the <em>root</em> user.</p> <p>Cisco&nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.</p> <p>This advisory is available at the following link:<br><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-privesc-vman-tEJFpBSL" target="_blank">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-privesc-vman-tEJFpBSL</a></p>
Security Impact Rating: High
CVE: CVE-2022-20739
Categories: Security Alerts

Cisco SD-WAN Solution Improper Access Control Vulnerability

Cisco Security Advisories - Wed, 2022-04-13 16:00
<p>A vulnerability in the CLI of Cisco&nbsp;SD-WAN Software could allow an authenticated, local attacker to gain escalated privileges.</p> <p>This vulnerability is due to improper access control on files within the affected system. A local attacker could exploit this vulnerability by modifying certain files on the vulnerable device. If successful, the attacker could gain escalated privileges and take actions on the system with the privileges of the <em>root</em> user.</p> <p>Cisco&nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.</p> <p>This advisory is available at the following link:<br><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sd-wan-file-access-VW36d28P" target="_blank">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sd-wan-file-access-VW36d28P</a></p>
Security Impact Rating: High
CVE: CVE-2022-20716
Categories: Security Alerts

Cisco IOS XE Software NETCONF Over SSH Denial of Service Vulnerability

Cisco Security Advisories - Wed, 2022-04-13 16:00
<p>A vulnerability in the NETCONF over SSH feature of Cisco&nbsp;IOS XE Software could allow a low-privileged, authenticated, remote attacker to cause a denial of service condition (DoS) on an affected device.</p> <p>This vulnerability is due to insufficient resource management. An attacker could exploit this vulnerability by initiating a large number of NETCONF over SSH connections. A successful exploit could allow the attacker to exhaust resources, causing the device to reload and resulting in a DoS condition on an affected device.</p> <p>Cisco&nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.</p> <p>This advisory is available at the following link:<br><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ncossh-dos-ZAkfOdq8">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ncossh-dos-ZAkfOdq8</a></p> <p>This advisory is part of the April 2022 release of the Cisco&nbsp;IOS and IOS XE Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see <a href="https://tools.cisco.com/security/center/viewErp.x?alertId=ERP-74561">Cisco&nbsp;Event Response: April 2022 Semiannual Cisco&nbsp;IOS and IOS XE Software Security Advisory Bundled Publication.</a></p>
Security Impact Rating: High
CVE: CVE-2022-20692
Categories: Security Alerts

Cisco IOS XR Software for ASR 9000 Series Routers Lightspeed-Plus Line Cards Denial of Service Vulnerability

Cisco Security Advisories - Wed, 2022-04-13 16:00
<p>A vulnerability in the data plane microcode of Lightspeed-Plus line cards for Cisco&nbsp;ASR 9000 Series Aggregation Services Routers could allow an unauthenticated, remote attacker to cause the line card to reset.</p> <p>This vulnerability is due to the incorrect handling of malformed packets that are received on the Lightspeed-Plus line cards. An attacker could exploit this vulnerability by sending a crafted IPv4 or IPv6 packet through an affected device. A successful exploit could allow the attacker to cause the Lightspeed-Plus line card to reset, resulting in a denial of service (DoS) condition for any traffic that traverses that line card.</p> <p>Cisco&nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.</p> <p>This advisory is available at the following link:<br><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-lsplus-Z6AQEOjk" target="_blank">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-lsplus-Z6AQEOjk</a></p> <p>This advisory is part of the April 2022 release of the Cisco&nbsp;IOS XR Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see <a href="https://tools.cisco.com/security/center/viewErp.x?alertId=ERP-74835">Cisco&nbsp;Event Response: April 2022 Cisco&nbsp;IOS XR Software Security Advisory Bundled Publication</a>.</p>
Security Impact Rating: High
CVE: CVE-2022-20714
Categories: Security Alerts

Cisco IOx Application Hosting Environment Vulnerabilities

Cisco Security Advisories - Wed, 2022-04-13 16:00
<p>Multiple vulnerabilities in the Cisco&nbsp;IOx application hosting environment on multiple Cisco&nbsp;platforms could allow an attacker to inject arbitrary commands into the underlying host operating system, execute arbitrary code on the underlying host operating system, install applications without being authenticated, or conduct a cross-site scripting (XSS) attack against a user of the affected software.</p> <p>For more information about these vulnerabilities, see the <a href="#details">Details</a> section of this advisory.</p> <p>Cisco&nbsp;has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.</p> <p>This advisory is available at the following link:<br><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iox-yuXQ6hFj" target="_blank">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iox-yuXQ6hFj</a></p> <p>This advisory is part of the April 2022 release of the Cisco&nbsp;IOS and IOS XE Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see <a href="https://tools.cisco.com/security/center/viewErp.x?alertId=ERP-74561">Cisco&nbsp;Event Response: April 2022 Semiannual Cisco&nbsp;IOS and IOS XE Software Security Advisory Bundled Publication.</a></p>
Security Impact Rating: Medium
CVE: CVE-2022-20677,CVE-2022-20718,CVE-2022-20719,CVE-2022-20720,CVE-2022-20721,CVE-2022-20722,CVE-2022-20723,CVE-2022-20724,CVE-2022-20725,CVE-2022-20726,CVE-2022-20727
Categories: Security Alerts

Cisco IOS XE Software Border Gateway Protocol Resource Public Key Infrastructure Denial of Service Vulnerability

Cisco Security Advisories - Wed, 2022-04-13 16:00
<p>A vulnerability in the implementation of the Resource Public Key Infrastructure (RPKI) feature of Cisco&nbsp;IOS XE Software could allow an unauthenticated, remote attacker to cause the Border Gateway Protocol (BGP) process to crash, resulting in a denial of service (DoS) condition.</p> <p>This vulnerability is due to the incorrect handling of a specific RPKI to Router (RTR) Protocol packet header. An attacker could exploit this vulnerability by compromising the RPKI validator server and sending a specifically crafted RTR packet to an affected device. Alternatively, the attacker could use man-in-the-middle techniques to impersonate the RPKI validator server and send a crafted RTR response packet over the established RTR TCP connection to the affected device. A successful exploit could allow the attacker to cause a DoS condition because the BGP process could constantly restart and BGP routing could become unstable.</p> <p>Cisco&nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.</p> <p>This advisory is available at the following link:<br><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-rpki-dos-2EgCNeKE">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-rpki-dos-2EgCNeKE</a></p> <p>This advisory is part of the April 2022 release of the Cisco&nbsp;IOS and IOS XE Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see <a href="https://tools.cisco.com/security/center/viewErp.x?alertId=ERP-74561">Cisco&nbsp;Event Response: April 2022 Semiannual Cisco&nbsp;IOS and IOS XE Software Security Advisory Bundled Publication.</a></p>
Security Impact Rating: Medium
CVE: CVE-2022-20694
Categories: Security Alerts

Cisco IOS XE Software Tool Command Language Privilege Escalation Vulnerability

Cisco Security Advisories - Wed, 2022-04-13 16:00
<p>A vulnerability in the Tool Command Language (Tcl) interpreter of Cisco&nbsp;IOS XE Software could allow an authenticated, local attacker to escalate from privilege level 15 to <em>root-</em>level privileges.</p> <p><span class="more">This vulnerability is due to </span>insufficient input validation of data that is <span class="more">passed </span>into the Tcl interpreter. An attacker could exploit this vulnerability by loading malicious Tcl code on an affected device. <span class="more">A successful exploit could allow the attacker to execute arbitrary commands as <em>root</em>. </span>By default, Tcl shell access requires privilege level 15.</p> <p>Cisco&nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.</p> <p>This advisory is part of the April 2022 release of the Cisco&nbsp;IOS and IOS XE Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see <a href="https://tools.cisco.com/security/center/viewErp.x?alertId=ERP-74561">Cisco&nbsp;Event Response: April 2022 Semiannual Cisco&nbsp;IOS and IOS XE Software Security Advisory Bundled Publication.</a></p> <p>This advisory is available at the following link:<br><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-priv-esc-grbtubU" target="_blank">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-priv-esc-grbtubU</a></p>
Security Impact Rating: Medium
CVE: CVE-2022-20676
Categories: Security Alerts

Cisco IOS XE Software for Cisco Catalyst 9000 Family Switches and Catalyst 9000 Family Wireless Controllers Privilege Escalation Vulnerability

Cisco Security Advisories - Wed, 2022-04-13 16:00
<p>A vulnerability in the CLI of Cisco&nbsp;IOS XE Software for C<span lang="EN-US">isco Catalyst 9000 Family Switches and</span> Cisco&nbsp;Catalyst 9000 Family Wireless Controllers could allow an authenticated, local attacker to elevate privileges to level 15 on an affected device.</p> <p>This vulnerability is due to insufficient validation of user privileges after the user executes certain CLI commands. An attacker could exploit this vulnerability by logging in to an affected device as a low-privileged user and then executing certain CLI commands. A successful exploit could allow the attacker to execute arbitrary commands with level 15 privileges on the affected device.&nbsp;</p> <p>Cisco&nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.</p> <p>This advisory is available at the following link:<br><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ewlc-priv-esc-ybvHKO5" target="_blank">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ewlc-priv-esc-ybvHKO5</a></p> <p>This advisory is part of the April 2022 release of the Cisco&nbsp;IOS and IOS XE Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see <a href="https://tools.cisco.com/security/center/viewErp.x?alertId=ERP-74561">Cisco&nbsp;Event Response: April 2022 Semiannual Cisco&nbsp;IOS and IOS XE Software Security Advisory Bundled Publication.</a></p>
Security Impact Rating: High
CVE: CVE-2022-20681
Categories: Security Alerts

Cisco 1000 Series Connected Grid Router Integrated Wireless Access Point Denial of Service Vulnerability

Cisco Security Advisories - Wed, 2022-04-13 16:00
<p>A vulnerability in the integrated wireless access point (AP) packet processing of the Cisco&nbsp;1000 Series Connected Grid Router (CGR1K) could allow an unauthenticated, adjacent attacker to cause a denial of service condition on an affected device.</p> <p>This vulnerability is due to insufficient input validation of received traffic. An attacker could exploit this vulnerability by sending crafted traffic to an affected device. A successful exploit could allow the attacker to cause the integrated AP to stop processing traffic, resulting in a DoS condition. It may be necessary to manually reload the CGR1K to restore AP operation.</p> <p>Cisco&nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.</p> <p>This advisory is available at the following link:<br><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cgr1k-ap-dos-mSZR4QVh">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cgr1k-ap-dos-mSZR4QVh</a></p> <p>This advisory is part of the April 2022 release of the Cisco&nbsp;IOS and IOS XE Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see <a href="https://tools.cisco.com/security/center/viewErp.x?alertId=ERP-74561">Cisco&nbsp;Event Response: April 2022 Semiannual Cisco&nbsp;IOS and IOS XE Software Security Advisory Bundled Publication.</a></p>
Security Impact Rating: High
CVE: CVE-2022-20761
Categories: Security Alerts

Cisco Catalyst Digital Building Series Switches and Cisco Catalyst Micro Switches Vulnerabilities

Cisco Security Advisories - Wed, 2022-04-13 16:00
<p>Multiple vulnerabilities that affect Cisco&nbsp;Catalyst Digital Building Series Switches and Cisco&nbsp;Catalyst Micro Switches could allow an attacker to execute persistent code at boot time or to permanently prevent the device from booting, resulting in a permanent denial of service (DoS) condition.</p> <p>For more information about these vulnerabilities, see the <a href="#details">Details</a> section of this advisory.</p> <p>Cisco&nbsp;has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.</p> <p>This advisory is available at the following link:<br><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cdb-cmicr-dos-KJjFtNb">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cdb-cmicr-dos-KJjFtNb</a></p>
Security Impact Rating: High
CVE: CVE-2022-20661,CVE-2022-20731
Categories: Security Alerts

Cisco IOS XE Wireless Controller Software for the Catalyst 9000 Family SNMP Trap Denial of Service Vulnerability

Cisco Security Advisories - Wed, 2022-04-13 16:00
<p>A vulnerability in Simple Network Management Protocol (SNMP) trap generation for wireless clients of Cisco&nbsp;IOS XE Wireless Controller Software for the Catalyst 9000 Family could allow an unauthenticated, adjacent attacker to cause an affected device to unexpectedly reload, resulting in a denial of service (DoS) condition on the device.</p> <p>This vulnerability is due to a lack of input validation of the information used to generate an SNMP trap related to a wireless client connection event. An attacker could exploit this vulnerability by sending an 802.1x packet with crafted parameters during the wireless authentication setup phase of a connection. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.</p> <p>Cisco&nbsp;has released software updates that address this vulnerability. There are workarounds that address this vulnerability.</p> <p>This advisory is available at the following link:<br><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-c9800-snmp-trap-dos-mjent3Ey" target="_blank">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-c9800-snmp-trap-dos-mjent3Ey</a></p> <p>This advisory is part of the April 2022 release of the Cisco&nbsp;IOS and IOS XE Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see <a href="https://tools.cisco.com/security/center/viewErp.x?alertId=ERP-74561">Cisco&nbsp;Event Response: April 2022 Semiannual Cisco&nbsp;IOS and IOS XE Software Security Advisory Bundled Publication.</a></p>
Security Impact Rating: High
CVE: CVE-2022-20684
Categories: Security Alerts

Cisco IOS XE Software for Catalyst 9800 Series Wireless Controllers Application Visibility and Control Denial of Service Vulnerability

Cisco Security Advisories - Wed, 2022-04-13 16:00
<p>A vulnerability in the Application Visibility and Control (AVC-FNF) feature of Cisco&nbsp;IOS XE Software for Cisco&nbsp;Catalyst 9800 Series Wireless Controllers could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.</p> <p>This vulnerability is due to insufficient packet verification for traffic inspected by the AVC feature. An attacker could exploit this vulnerability by sending crafted packets from the wired network to a wireless client, resulting in the crafted packets being processed by the wireless controller. A successful exploit could allow the attacker to cause a crash and reload of the affected device, resulting in a DoS condition.</p> <p>Cisco&nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.</p> <p>This advisory is available at the following link:<br><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-c9800-fnf-dos-bOL5vLge" target="_blank">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-c9800-fnf-dos-bOL5vLge</a></p> <p>This advisory is part of the April 2022 release of the Cisco&nbsp;IOS and IOS XE Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see <a href="https://tools.cisco.com/security/center/viewErp.x?alertId=ERP-74561">Cisco&nbsp;Event Response: April 2022 Semiannual Cisco&nbsp;IOS and IOS XE Software Security Advisory Bundled Publication.</a></p>
Security Impact Rating: High
CVE: CVE-2022-20683
Categories: Security Alerts

Cisco IOS XR Software Border Gateway Protocol Ethernet VPN Denial of Service Vulnerability

Cisco Security Advisories - Wed, 2022-04-13 16:00
<p>A vulnerability in the implementation of the Border Gateway Protocol (BGP) Ethernet VPN (EVPN) functionality in Cisco&nbsp;IOS XR Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.</p> <p>This vulnerability is due to the incorrect processing of a BGP update message that contains specific EVPN attributes. An attacker could exploit this vulnerability by sending a BGP update message that contains specific EVPN attributes.&nbsp;To exploit this vulnerability, an attacker must control a BGP speaker that has an established trusted peer connection to an affected device that is configured with the address family L2VPN EVPN to receive and process the update message. This vulnerability cannot be exploited by any data that is initiated by clients on the Layer 2 network or by peers that are not configured to accept the L2VPN EVPN address family. A successful exploit could allow the attacker to cause the BGP process to restart unexpectedly, resulting in a DoS condition.</p> <p>The Cisco&nbsp;implementation of BGP accepts incoming BGP updates only from explicitly defined peers. For this vulnerability to be exploited, the malicious BGP update message must either come from a configured, valid BGP peer or be injected by the attacker into the affected BGP network on an existing, valid TCP connection to a BGP peer.</p> <p>Cisco&nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.</p> <p>This advisory is available at the following link:<br><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-bgpevpn-zWTRtPBb">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-bgpevpn-zWTRtPBb</a></p> <p>This advisory is part of the April 2022 release of the Cisco&nbsp;IOS XR Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see <a href="https://tools.cisco.com/security/center/viewErp.x?alertId=ERP-74835">Cisco&nbsp;Event Response: April 2022 Cisco&nbsp;IOS XR Software Security Advisory Bundled Publication</a>.</p>
Security Impact Rating: Medium
CVE: CVE-2022-20758
Categories: Security Alerts

Cisco IOS XE Software AppNav-XE Denial of Service Vulnerability

Cisco Security Advisories - Wed, 2022-04-13 16:00
<p>A vulnerability in the AppNav-XE feature of Cisco&nbsp;IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition.&nbsp;</p> <p>This vulnerability is due to the incorrect handling of certain TCP segments. An attacker could exploit this vulnerability by sending a stream of crafted TCP traffic at a high rate through an interface of an affected device. That interface would need to have AppNav interception enabled. A successful exploit could allow the attacker to cause the device to reload.</p> <p>Cisco&nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.</p> <p>This advisory is available at the following link:<br><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-appnav-xe-dos-j5MXTR4">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-appnav-xe-dos-j5MXTR4</a></p> <p>This advisory is part of the April 2022 release of the Cisco&nbsp;IOS and IOS XE Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see <a href="https://tools.cisco.com/security/center/viewErp.x?alertId=ERP-74561">Cisco&nbsp;Event Response: April 2022 Semiannual Cisco&nbsp;IOS and IOS XE Software Security Advisory Bundled Publication.</a></p>
Security Impact Rating: High
CVE: CVE-2022-20678
Categories: Security Alerts

AA22-103A: APT Cyber Tools Targeting ICS/SCADA Devices

US-CERT - Wed, 2022-04-13 10:00
Original release date: April 13, 2022
Summary

Actions to Take Today to Protect ICS/SCADA Devices:
• Enforce multifactor authentication for all remote access to ICS networks and devices whenever possible.
• Change all passwords to ICS/SCADA devices and systems on a consistent schedule, especially all default passwords, to device-unique strong passwords to mitigate password brute force attacks and to give defender monitoring systems opportunities to detect common attacks.
• Leverage a properly installed continuous OT monitoring solution to log and alert on malicious indicators and behaviors.

The Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory (CSA) to warn that certain advanced persistent threat (APT) actors have exhibited the capability to gain full system access to multiple industrial control system (ICS)/supervisory control and data acquisition (SCADA) devices, including:

  • Schneider Electric programmable logic controllers (PLCs),
  • OMRON Sysmac NEX PLCs, and
  • Open Platform Communications Unified Architecture (OPC UA) servers.

The APT actors have developed custom-made tools for targeting ICS/SCADA devices. The tools enable them to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network. Additionally, the actors can compromise Windows-based engineering workstations, which may be present in information technology (IT) or OT environments, using an exploit that compromises an ASRock motherboard driver with known vulnerabilities. By compromising and maintaining full system access to ICS/SCADA devices, APT actors could elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions.

DOE, CISA, NSA, and the FBI urge critical infrastructure organizations, especially Energy Sector organizations, to implement the detection and mitigation recommendations provided in this CSA to detect potential malicious APT activity and harden their ICS/SCADA devices. 

Click here for a PDF version of this report. 

Technical Details

APT actors have developed custom-made tools that, once they have established initial access in an OT network, enables them to scan for, compromise, and control certain ICS/SCADA devices, including the following:

  • Schneider Electric MODICON and MODICON Nano PLCs, including (but may not be limited to) TM251, TM241, M258, M238, LMC058, and LMC078;
  • OMRON Sysmac NJ and NX PLCs, including (but may not be limited to) NEX NX1P2, NX-SL3300, NX-ECC203, NJ501-1300, S8VK, and R88D-1SN10F-ECT; and 
  • OPC Unified Architecture (OPC UA) servers.  

The APT actors’ tools have a modular architecture and enable cyber actors to conduct highly automated exploits against targeted devices. The tools have a virtual console with a command interface that mirrors the interface of the targeted ICS/SCADA device. Modules interact with targeted devices, enabling operations by lower-skilled cyber actors to emulate higher-skilled actor capabilities.

The APT actors can leverage the modules to scan for targeted devices, conduct reconnaissance on device details, upload malicious configuration/code to the targeted device, back up or restore device contents, and modify device parameters. 

In addition, the APT actors can use a tool that installs and exploits a known-vulnerable ASRock-signed motherboard driver, AsrDrv103.sys, exploiting CVE-2020-15368 to execute malicious code in the Windows kernel. Successful deployment of this tool can allow APT actors to move laterally within an IT or OT environment and disrupt critical devices or functions.

APT Tool for Schneider Electric Devices  

The APT actors’ tool for Schneider Electric devices has modules that interact via normal management protocols and Modbus (TCP 502). Modules may allow cyber actors to:

  • Run a rapid scan that identifies all Schneider PLCs on the local network via User Datagram Protocol (UDP) multicast with a destination port of 27127 (Note: UDP 27127 is a standard discovery scan used by engineering workstations to discover PLCs and may not be indicative of malicious activity);
  • Brute-force Schneider Electric PLC passwords using CODESYS and other available device protocols via UDP port 1740 against defaults or a dictionary word list (Note: this capability may work against other CODESYS-based devices depending on individual design and function, and this report will be updated as more information becomes available); 
  • Conduct a denial-of-service attack to prevent network communications from reaching the PLC;
  • Sever connections, requiring users to re-authenticate to the PLC, likely to facilitate capture of credentials; 
  • Conduct a ‘packet of death’ attack to crash the PLC until a power cycle and configuration recovery is conducted; and 
  • Send custom Modbus commands (Note: this capability may work against Modbus other than in Schneider Electric PLCs).

Refer to the appendix for tactics, techniques, and procedures (TTPs) associated with this tool.

APT Tool for OMRON 

The APT actors’ tool for OMRON devices has modules that can interact by:

  • Scanning for OMRON using (Factory Interface Network Service (FINS) protocol;
  • Parsing the Hypertext Transfer Protocol (HTTP) response from OMRON devices;
  • Retrieving the media access control (MAC) address of the device;
  • Polling for specific devices connected to the PLC;
  • Backing up/restoring arbitrary files to/from the PLC; and
  • Loading a custom malicious agent on OMRON PLCs for additional attacker-directed capability.

Additionally, the OMRON modules can upload an agent that allows a cyber actor to connect and initiate commands—such as file manipulation, packet captures, and code execution—via HTTP and/or Hypertext Transfer Protocol Secure (HTTPS). 

Refer to the appendix for TTPs associated with this tool.

APT Tool for OPC UA 

The APT actors’ tool for OPC UA has modules with basic functionality to identify OPC UA servers and to connect to an OPC UA server using default or previously compromised credentials. The client can read the OPC UA structure from the server and potentially write tag values available via OPC UA.

Refer to the appendix for TTPs associated with this tool.

Mitigations

Note: these mitigations are provided to enable network defenders to begin efforts to protect systems and devices from new capabilities. They have not been verified against every environment and should be tested prior to implementing.

DOE, CISA, NSA, and the FBI recommend all organizations with ICS/SCADA devices implement the following proactive mitigations:

  • Isolate ICS/SCADA systems and networks from corporate and internet networks using strong perimeter controls, and limit any communications entering or leaving ICS/SCADA perimeters. 
  • Enforce multifactor authentication for all remote access to ICS networks and devices whenever possible.
  • Have a cyber incident response plan, and exercise it regularly with stakeholders in IT, cybersecurity, and operations.
  • Change all passwords to ICS/SCADA devices and systems on a consistent schedule, especially all default passwords, to device-unique strong passwords to mitigate password brute force attacks and to give defender monitoring systems opportunities to detect common attacks.
  • Maintain known-good offline backups for faster recovery upon a disruptive attack, and conduct hashing and integrity checks on firmware and controller configuration files to ensure validity of those backups. 
  • Limit ICS/SCADA systems’ network connections to only specifically allowed management and engineering workstations.
  • Robustly protect management systems by configuring Device Guard, Credential Guard, and Hypervisor Code Integrity (HVCI). Install Endpoint Detection and Response (EDR) solutions on these subnets and ensure strong anti-virus file reputation settings are configured.
  • Implement robust log collection and retention from ICS/SCADA systems and management subnets.
  • Leverage a continuous OT monitoring solution to alert on malicious indicators and behaviors, watching internal systems and communications for known hostile actions and lateral movement. For enhanced network visibility to potentially identify abnormal traffic, consider using CISA’s open-source Industrial Control Systems Network Protocol Parsers (ICSNPP).
  • Ensure all applications are only installed when necessary for operation. 
  • Enforce principle of least privilege. Only use admin accounts when required for tasks, such as installing software updates. 
  • Investigate symptoms of a denial of service or connection severing, which exhibit as delays in communications processing, loss of function requiring a reboot, and delayed actions to operator comments as signs of potential malicious activity.
  • Monitor systems for loading of unusual drivers, especially for ASRock driver if no ASRock driver is normally used on the system. 
Resources

For additional information on securing OT devices, see 

Disclaimer

The information in this report is being provided “as is” for informational purposes only. DOE, CISA, NSA, and the FBI do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the DOE, CISA, NSA, or the FBI, and this guidance shall not be used for advertising or product endorsement purposes.

Acknowledgements

The DOE, CISA, NSA, and the FBI would like to thank Dragos, Mandiant, Microsoft, Palo Alto Networks, and Schneider Electric for their contributions to this joint CSA.

Appendix: APT Cyber Tools Tactics, Techniques, and Procedures

See tables 1 through 3 for TTPs associated with the cyber actors’ tools described in this CSA mapped to the MITRE ATT&CK for ICS framework. See the ATT&CK for ICS framework for all referenced threat actor tactics and techniques.

Table 1: APT Tool for Schneider Electric ICS TTPs

Tactic Technique Execution Command-Line Interface [T0807] Scripting [T0853] Persistence Modify Program [T0889] System Firmware [T0857] Valid Accounts [T0859] Discovery Remote System Discovery [T0846] Remote System Information Discovery [T0888] Lateral Movement Default Credentials [T0812] Program Download [T0843] Valid Accounts [T0859] Collection Monitor Process State [T0801] Program Upload [T0845] Monitor Process State [T0801] Command and Control Commonly Used Port [T0885] Standard Application Layer Protocol [T0869] Inhibit Response Function Block Reporting Message [T0804] Block Command Message [T0803] Denial of Service [T0814] Data Destruction [T0809] Device Restart/Shutdown [T0816] System Firmware [T0857] Impair Process Control Modify Parameter [T0836] Unauthorized Command Message [T0855] Impact Denial of Control [T0813] Denial of View [T0815] Loss of Availability [T0826] Loss of Control [T0827] Loss of Productivity and Revenue [T0828] Manipulation of Control [T0831] Theft of Operational Information [T0882]

 

Table 2: APT Tool for OMRON ICS TTPs

Tactic Technique Initial Access Remote Services [T0886] Execution Command-Line Interface [T0807] Scripting [T0853] Change Operating Mode [T0858] Modify Controller Tasking [T0821] Native API [T0834] Persistence Modify Program [T0889] Valid Accounts [T0859] Evasion Change Operating Mode [T0858] Discovery  Network Sniffing [T0842] Remote System Discovery [T0846] Remote System Information Discovery [T0888] Lateral Movement Default Credentials [T0812] Lateral Tool Transfer [T0867] Program Download [T0843] Remote Services [T0886] Valid Accounts [T0859] Collection Detect Operating Mode [T0868] Monitor Process State [T0801] Program Upload [T0845] Command and Control Commonly Used Port [T0885] Standard Application Layer Protocol [T0869] Inhibit Response Function Service Stop [T0881] Impair Process Control Modify Parameter [T0836] Unauthorized Command Message [T0855] Impact Damage to Property [T0879] Loss of Safety [T0837] Manipulation of Control [T0831] Theft of Operational Information [T0882]

 

Table 3: APT Tool for OPC UA ICS TTPs

Tactic Technique Execution Command-Line Interface [T0807] Scripting [T0853] Persistence Valid Accounts [T0859] Discovery Remote System Discovery [T0846] Remote System Information Discovery [T0888] Lateral Movement Valid Accounts [T0859] Collection Monitor Process State [T0801] Point & Tag Identification [T0861] Command and Control Commonly Used Port [T0885] Standard Application Layer Protocol [T0869] Impact Manipulation of View [T0832] Theft of Operational Information [T0882] Contact Information

All organizations should report incidents and anomalous activity to CISA 24/7 Operations Center at report@cisa.gov or (888) 282-0870 and/or to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. For NSA client requirements or general cybersecurity inquiries, contact the Cybersecurity Requirements Center at 410-854-4200 or Cybersecurity_Requests@nsa.gov

Revisions
  • April 13, 2022: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: Security Alerts

Multiple Cisco Security Products Simple Network Management Protocol Service Denial of Service Vulnerability

Cisco Security Advisories - Wed, 2022-04-06 23:00
<p>A vulnerability in the TCP/IP stack of Cisco&nbsp;Email Security Appliance (ESA), Cisco&nbsp;Web Security Appliance (WSA), and Cisco&nbsp;Secure Email and Web Manager, formerly Security Management Appliance, could allow an unauthenticated, remote attacker to crash the Simple Network Management Protocol (SNMP) service, resulting in a denial of service (DoS) condition.</p> <p>This vulnerability is due to an open port listener on TCP port 199. An attacker could exploit this vulnerability by connecting to TCP port 199. A successful exploit could allow the attacker to crash the SNMP service, resulting in a DoS condition.</p> <p>Cisco&nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.</p> <p>This advisory is available at the following link:<br><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ESA-SNMP-JLAJksWK" target="_blank">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ESA-SNMP-JLAJksWK</a></p> <p><strong>Attention</strong>: Simplifying the Cisco&nbsp;portfolio includes the renaming of security products under one brand: Cisco&nbsp;Secure. For more information, see <a href="https://www.cisco.com/c/en/us/products/security/secure-names.html">Meet Cisco&nbsp;Secure</a>.</p>
Security Impact Rating: Medium
CVE: CVE-2022-20675
Categories: Security Alerts

Cisco Web Security Appliance Stored Cross-Site Scripting Vulnerability

Cisco Security Advisories - Wed, 2022-04-06 23:00
<p>A vulnerability in the web-based management interface of Cisco&nbsp;AsyncOS Software for Cisco&nbsp;Web Security Appliance (WSA) could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface of an affected device.&nbsp;</p> <p>The vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by inserting malicious data into a specific data field in an affected interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface.</p> <p>Cisco&nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.</p> <p>This advisory is available at the following link:<br><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wsa-stored-xss-XPsJghMY" target="_blank">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wsa-stored-xss-XPsJghMY</a></p>
Security Impact Rating: Medium
CVE: CVE-2022-20781
Categories: Security Alerts

Cisco Webex Meetings Java Deserialization Vulnerability

Cisco Security Advisories - Wed, 2022-04-06 23:00
<p>A vulnerability in the login authorization components of Cisco&nbsp;Webex Meetings could allow an authenticated, remote attacker to inject arbitrary Java code.</p> <p>This vulnerability is due to improper deserialization of Java code within login requests. An attacker could exploit this vulnerability by sending malicious login requests to the Cisco&nbsp;Webex Meetings service. A successful exploit could allow the attacker to inject arbitrary Java code and take arbitrary actions within the Cisco&nbsp;Webex Meetings application.</p> <p>Cisco&nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.</p> <p>This advisory is available at the following link:<br><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-java-MVX6crH9" target="_blank">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-java-MVX6crH9</a></p>
Security Impact Rating: Medium
CVE: CVE-2022-20763
Categories: Security Alerts

Pages

Subscribe to Willing Minds aggregator