A vulnerability in the software update feature of Cisco Industrial Network Director could allow an authenticated, remote attacker to execute arbitrary code.
The vulnerability is due to improper validation of files uploaded to the affected application. An attacker could exploit this vulnerability by authenticating to the affected system using administrator privileges and uploading an arbitrary file. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges.
The flaw could be exploited by an authenticate attacker to the target system with admin privileges and upload any malicious file, then execute arbitrary code with elevated privileges.
Cisco IND is a software designed to manage industrial networks and helps monitor automated devices in an industrial network.
The cause behind Bugs:-
The vulnerability is due to insufficient CSRF protections for the web-based management interface of the affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to use a web browser and the privileges of the user to perform arbitrary actions on an affected device.
Cisco has identified three security bugs in Industrial Network Director (IND) software. In a series of security advisories released on Wednesday, Cisco addressed these major flaws present in IND. One of these flaws was a “high severity” remote code execution (RCE) vulnerability that could allow threat actors to execute arbitrary code with elevated privileges.
The RCE flaw, designated as CVE-2019-1861, had a CVSS score of 7.2. The flaw was the result of a file validation issue in IND. In an advisory, Cisco mentions that an attacker could exploit this flaw by authenticating to an affected system using administrator-level privileges and subsequently uploading arbitrary files.
The other two flaws identified by Cisco are a stored cross-site scripting (XSS) flaw and a cross-site request forgery (CSRF) vulnerability. While the XSS flaw enables attackers to send malicious requests, the CSRF vulnerability allows anyone to perform arbitrary actions on the affected systems.
Cisco has released software updates for the RCE flaw. However, XSS and CSRF flaws are still left unpatched.
Things to noticed:-
The company has released IND flaws and security flaws. Cisco Industrial Network Director software releases 1.6.0 and later address this vulnerability. Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:
Customers security update releases:-
Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases, this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. The products include Cisco Unified Communications Manager IM and Presence Service, Cisco TelePresence Video Communication Server, Cisco Expressway Series, Cisco Enterprise Chat and Email Center, Cisco Unified Computing System, Cisco IOS XR, and Cisco Webex Meetings Server.
Read More News Related To Cyber Security Click Here