Cisco Security Advisories

Number: AV13-039
Date: 25 October 2013

Purpose

Cisco has released three security advisories to address multiple vulnerabilities. These vulnerabilities may allow an attacker to successfully execute arbitrary code, authentication bypass or cause a denial-of-service (DoS) condition.

Assessment

1. Apache Struts 2 Command Execution Vulnerability in Multiple Cisco Products
Multiple Cisco products include an implementation of the Apache Struts 2 component that is affected by a remote command execution vulnerability.

The vulnerability is due to insufficient sanitization of user-supplied input. An attacker could exploit this vulnerability by sending crafted requests consisting of Object-Graph Navigation Language (OGNL) expressions to an affected system. An exploit could allow the attacker to execute arbitrary code on the targeted system.

2. Multiple Vulnerabilities in Cisco Identity Services Engine
Cisco Identity Services Engine (ISE) contains the following vulnerabilities:

These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the other.

Successful exploitation of Cisco ISE Authenticated Arbitrary Command Execution Vulnerability may allow an authenticated remote attacker to execute arbitrary code on the underlying operating system.

Successful exploitation of Cisco ISE Support Information Download Authentication Bypass Vulnerability could allow an attacker to obtain sensitive information including administrative credentials.

3. Cisco IOS XR Software Route Processor Denial of Service Vulnerability
Cisco IOS XR Software Releases 3.3.0 to 4.2.0 contain a vulnerability when handling fragmented packets that could result in a denial-of-service (DoS) condition of the Cisco CRS Route Processor cards listed in the "Affected Products" section of this advisory.

The vulnerability is due to improper handling of fragmented packets. The vulnerability could cause the route processor, which processes the packets, to be unable to transmit packets to the fabric.

Suggested action

CCIRC recommends that systems administrators identify their affected assets and potential interdependencies with their organization's critical services and follow their patch management process accordingly.

Cisco has released free software updates that address these vulnerabilities.

References:
Apache Struts 2 Command Execution Vulnerability in Multiple Cisco Products
Multiple Vulnerabilities in Cisco Identity Service Engine
Cisco IOS XR Software Route Processor Denial of Service Vulnerability

Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/_fl/CCIRCPublicPGPKey.txt

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: ps.communications-communications.sp@canada.ca

Date modified: