Vulnerabilities Weekly Summary Ending November 4

This week Cisco released security advisories addressing 10 vulnerabilities, including 4 critical or high priority ones. Internet Systems Consortium (ISC) released an update to address a vulnerability with BIND and Google Chrome released version 54.0.2840 of their browser which fixes vulnerabilities.

Cisco Security Advisories for ASR 900, Prime Home and Meeting Server

Cisco released security advisories for 10 vulnerabilities; including 4 deemed critical or high priority. Cisco ASR 900 Series routers suffers from a vulnerability that if exploited could allow an unauthenticated, remote attacker to cause a reload of, or remotely execute code on the device.  Cisco Prime Home web GUI suffers from an authentication bypass vulnerability that if exploited could allow an unauthenticated remote attacker to bypass authentication and be granted full admin privileges.  Cisco Meeting Server suffer from two vulnerabilities; one affects the SDP parser the other is a buffer overflow vulnerability, both of which could allow a remote attacker to execute arbitrary code on the server.  Below are a list of these and other vulnerabilities from the advisories:

CVE-2016-6441 – “A vulnerability in the Transaction Language 1 (TL1) code of Cisco ASR 900 Series routers could allow an unauthenticated, remote attacker to cause a reload of, or remotely execute code on, the affected system.  The vulnerability exists because the affected software performs incomplete bounds checks on input data. An attacker could exploit this vulnerability by sending a malicious request to the TL1 port, which could cause the device to reload. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system or cause a reload of the affected system” (2016 Nov. 2,”Cisco ASR 900 Series Aggregation Services Routers Buffer Overflow Vulnerability“).

CVE-2016-6452 – “A vulnerability in the Session Description Protocol (SDP) parser of Cisco Meeting Server could allow an unauthenticated, remote attacker to execute arbitrary code on an affected system.  The vulnerability exists because the affected software performs incomplete input validation of the size of media lines in session descriptions. An attacker could exploit this vulnerability by sending crafted packets to the SDP parser on an affected system. A successful exploit could allow the attacker to cause a buffer overflow condition on an affected system, which could allow the attacker to execute arbitrary code on the system” (2016 Nov. 2, “Cisco Prime Home Authentication Bypass Vulnerability“).

CVE-2016-6448 – “A vulnerability in the Session Description Protocol (SDP) parser of Cisco Meeting Server could allow an unauthenticated, remote attacker to execute arbitrary code on an affected system.  The vulnerability exists because the affected software performs incomplete input validation of the size of media lines in session descriptions. An attacker could exploit this vulnerability by sending crafted packets to the SDP parser on an affected system. A successful exploit could allow the attacker to cause a buffer overflow condition on an affected system, which could allow the attacker to execute arbitrary code on the system” (2016 Nov. 2, “Cisco Meeting Server Session Description Protocol Media Lines Buffer Overflow Vulnerability“).

CVE-2016-6447 – “A vulnerability in Cisco Meeting Server and Meeting App could allow an unauthenticated, remote attacker to execute arbitrary code on an affected system.  The vulnerability exists because the software does not perform sufficient boundary checks on user-supplied data. An unauthenticated, remote attacker could exploit this vulnerability by sending crafted IPv6 input to the vulnerable function. A successful exploit could result in an exploitable buffer underflow condition. An attacker could leverage this buffer underflow condition to incorrectly allocate memory and cause a reload of the device or execute arbitrary code with the privileges of the affected application” (2016 Nov. 2, “Cisco Meeting Server and Meeting App Buffer Underflow Vulnerability”).

CVE-2016-6459 – “Cisco TelePresence endpoints running either CE or TC software contain a vulnerability that could allow an authenticated, local attacker to execute a local shell command injection.  The vulnerability is due to incomplete input sanitization of some commands. An attacker could exploit this vulnerability by executing local shell commands with commands injected as parameters. An exploit could allow the attacker to retrieve full information from the device including private keys” (2016 Nov. 2, “Cisco TelePresence Endpoints Local Command Injection Vulnerability”).

CVE-2016-6457 – “A vulnerability in the Cisco Nexus 9000 Series Platform Leaf Switches for Application Centric Infrastructure (ACI) could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on the affected device.  The vulnerability is due to improper handling of a type of Layer 2 control plane traffic. An attacker could exploit this vulnerability by sending crafted traffic to a host behind a leaf switch. An exploit could allow the attacker to cause a DoS condition on the affected device” (2016 Nov. 2, “Cisco Application Policy Infrastructure Controller Denial of Service Vulnerability”).

CVE-2016-6458 – “A vulnerability in the content filtering functionality of Cisco AsyncOS Software for Cisco Email Security Appliances could allow an unauthenticated, remote attacker to bypass content filters configured on an affected device. Email that should have been filtered could instead be forwarded by the device.  The vulnerability is due to incorrect validation of protected or encrypted email attachments that are Roshal Archive (RAR) format files. An attacker could exploit this vulnerability by sending an email message that has a crafted RAR file attachment through an affected device. A successful exploit could allow the attacker to bypass content filters that are configured to detect and act upon protected or encrypted email attachments” (2016 Nov. 2 “Cisco Email Security Appliance RAR File Attachment Scanner Bypass Vulnerability”).

CVE-2016-6455 – “A vulnerability in the Slowpath of StarOS for Cisco ASR 5500 Series routers with Data Processing Card 2 (DPC2) could allow an unauthenticated, remote attacker to cause a subset of the subscriber sessions to be disconnected, resulting in a partial denial of service (DoS) condition.  The vulnerability is due to improper processing during the handoff of reassembled IPv4 or IPv6 packets. An attacker could exploit this vulnerability by sending crafted IPv4 or IPv6 fragments across the ASR 5500 Series router. An exploit could allow the attacker to cause an instance of the sessmgr service on the affected device to reload. A reload of the sessmgr service will cause all subscriber sessions serviced by that task to be disconnected, resulting in a denial of service (DoS) condition” (2016 Nov. 2, “Cisco ASR 5500 Series with DPC2 Cards SESSMGR Denial of Service Vulnerability”).

CVE-2016-6360 – “A vulnerability in Advanced Malware Protection (AMP) for Cisco Email Security Appliances (ESA) and Web Security Appliances (WSA) could allow an unauthenticated, remote attacker to cause a partial denial of service (DoS) condition due to the AMP process unexpectedly restarting.  The vulnerability is due to improper validation of a Java Archive (JAR) file that is scanned when AMP is configured. An attacker could exploit this vulnerability by crafting a JAR file and attaching this JAR file to an email that is then sent through the ESA, or allowing the JAR file to be download from the web through the WSA. An exploit could allow the attacker to cause the Cisco ESA and WSA AMP process to unexpectedly restart due to the malformed JAR file” (2016 Nov. 2, “Cisco Email and Web Security Appliance JAR Advanced Malware Protection DoS Vulnerability”).

The Internet Systems Consortium release updates that address a vulnerability in BIND

The Internet Systems Consortium (ISC) has released updates that address a vulnerability in BIND.

CVE-2016-8864 – “A defect in BIND‘s handling of responses containing a DNAME answer can cause a resolver to exit after encountering an assertion failure in db.c or resolver.c.  During processing of a recursive response that contains a DNAME record in the answer section, BIND can stop execution after encountering an assertion error in resolver.c (error message: “INSIST((valoptions & 0x0002U) != 0) failed”) or db.c (error message: “REQUIRE(targetp != ((void *)0) && *targetp == ((void *)0)) failed”).  A server encountering either of these error conditions will stop, resulting in denial of service to clients.  The risk to authoritative servers is minimal; recursive servers are chiefly at risk” (McNally, M., 2016 Nov. 1).

Chrome releases update 54.0.2840 addressing vulnerabilities

Chrome released an update to Chrome, 54.0.2840.87 for Windows, Mac, and 54.0.2840.90 for Linux.  As of now only one vulnerability has been disclosed from this update.

CVE-2016-5198 – “Out of bounds memory access in V8” (2016 Nov. 1, “Stable Channel Update for Desktop”).

References:

(2016 Nov. 2). “Cisco ASR 900 Series Aggregation Services Routers Buffer Overflow Vulnerability“. Cisco Systems. Retrieved from https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161102-cms1

(2016 Nov. 2). “Cisco Prime Home Authentication Bypass Vulnerability“. Cisco Systems. Retrieved from https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161102-cph

(2016 Nov. 2). “Cisco Meeting Server Session Description Protocol Media Lines Buffer Overflow Vulnerability“. Cisco Systems. Retrieved from https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161102-cms1

(2016 Nov. 2). “Cisco Meeting Server and Meeting App Buffer Underflow Vulnerability”. Cisco Systems. Retrieved from https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161102-cms

(2016 Nov. 2). “Cisco TelePresence Endpoints Local Command Injection Vulnerability”. Cisco Systems. Retrieved from https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161102-tp

(2016 Nov. 2). “Cisco Application Policy Infrastructure Controller Denial of Service Vulnerability”. Cisco Systems. Retrieved from https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161102-n9kapic

(2016 Nov. 2). “Cisco Email Security Appliance RAR File Attachment Scanner Bypass Vulnerability”. Cisco Systems. Retrieved from https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161102-esa

(2016 Nov. 2). “Cisco ASR 5500 Series with DPC2 Cards SESSMGR Denial of Service Vulnerability”. Cisco Systems. Retrieved from https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161102-asr

(2016 Nov. 2). “Cisco Email and Web Security Appliance JAR Advanced Malware Protection DoS Vulnerability”. Cisco Systems. Retrieved from https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161026-esawsa3

McNally, M. (2016 Nov. 1). “CVE-2016-8864: A problem handling responses containing a DNAME answer can lead to an assertion failure”. Internet Systems Consortium.  Retrieved from https://kb.isc.org/article/AA-01434/0

(2016 Nov. 1). “Stable Channel Update for Desktop”. Google Chrome. Alphabet, Inc. Retrieved from https://googlechromereleases.blogspot.com/2016/11/stable-channel-update-for-desktop.html