Cisco published five security alerts on Wednesday, issuing software updates to patch a series of vulnerabilities in three products, any of which could potentially trigger a denial of service condition.
By exploiting any of these flaws, an attacker could essentially execute a low-grade, denial of service attack against a company using minimal bandwidth, without even needing an army of bots. “A broader internet-based distributed denial of service (DDoS) attack wouldn't even be needed if a DoS vulnerability was exploited within a particular application,” Terrence Gareau, chief scientist at network security firm Nexusguard, told SCMagazine.com.
Cisco has created patches for all of these vulnerabilities and advises customers of any affected products to download updates for their products immediately.
The most critical of the five listed flaws was a vulnerability in the HTTP URL redirect feature of multiple versions of Cisco's Wireless LAN Controller (WLC) Software. An attacker could remotely exploit this flaw by sending a crafted HTTP traffic request, creating a buffer overflow condition that causes an affected device to reload and generate a crash file.
Dave Larson, COO at Corero Network Security, told SCMagazine.com in an interview that with using these kinds of vulnerabilities, attackers can sometimes “get root access to the kernel. What that means is, it's not necessarily just a DoS outcome. That is an ‘owned' outcome,” whereby bad actors could seize control of or take down the entire network.
Gareau noted that a DoS exploit of this nature in a setting such as a healthcare facility “would be very devastating, especially since many hospitals use wireless networks”.
There were two other vulnerabilities associated with Cisco's WLC Software, both described as having a “high” potential impact. One involved improper traffic management by the software's Bonjour task manager, while the other consisted of a flaw in its web-based management interface, due to the presence of unsupported URLs.
Cisco also flagged a vulnerability in the encryption processing subsystem of its Secure Real-Time Transport Protocol library (libSRTP), affecting a litany of Cisco products that includes phones, web conferencing servers, routers and security devices.
Finally, Cisco reported a vulnerability in the DHCPv6 replay feature of Cisco's Adaptive Security Appliance software — a disconcerting disclosure, to be sure, as this could employ a DoS attack that effectively overwhelms Cisco network security products that run this software, such as its 5500-X Series Next-Generation firewalls. The vulnerability specifically affects the 9.4.1 release of the ASA software, when configured in routed firewall mode and in single or multiple context mode.
Larson said this flaw is the “one that alarms me,” noting that it presents “a significant problem because many organisations might tolerate shunting traffic around their firewall if it has a catastrophic failure”. And that might be exactly what an attacker wants so they can sneak malicious traffic into the network.
While exploiting this vulnerability remotely might be somewhat of a challenge, the flaw still poses a major threat from social engineers who steal log-in credentials from network insiders, or from more insidious threats. For instance, Larson suggested that such a threat could manifest itself as “an APT that is already inside the network, weaponised for this particular vulnerability”.
Asked for comment on the vulnerabilities, Cisco issued the following statement to SCMagazine.com: “Cisco puts the security of our customers first. When we have a vulnerability in our products, we issue a security advisory to make sure our customers know what it is and how to fix it.”
Larson said that ultimately, security alerts like the ones Cisco just issued “highlights what I believe is something that IT security should be looking at more closely: Can you afford to have low-grade DDoS in your environment and ignore it?”