Cisco Security Updates

Number: AV18-052
Date: 28 March 2018

Purpose

The purpose of this advisory is to bring attention to multiple Cisco security advisories.

Assessment

Cisco released multiple security updates to address vulnerabilities (medium to critical) in the following products.

-Cisco IOS XE Software Static Credential Vulnerability
-Cisco IOS and IOS XE Software Smart Install Remote Code Execution Vulnerability
-Cisco IOS and IOS XE Software Quality of Service Remote Code Execution Vulnerability
-Cisco IOS XE Software Web UI Remote Access Privilege Escalation Vulnerability
-Cisco IOS XE Software Simple Network Management Protocol Double-Free Denial of Service Vulnerability
-Cisco IOS Software Simple Network Management Protocol GET MIB Object ID Denial of Service Vulnerability
-Cisco IOS and IOS XE Software Smart Install Denial of Service Vulnerability
-Cisco IOS XE Software User EXEC Mode Root Shell Access Vulnerabilities
-Cisco IOS XE Software with Cisco Umbrella Integration Denial of Service Vulnerability
-Cisco IOS, IOS XE, and IOS XR Software Link Layer Discovery Protocol Buffer Overflow Vulnerabilities
-Cisco IOS XE Software for Cisco Catalyst Switches IPv4 Denial of Service Vulnerability
-Cisco IOS and IOS XE Software Internet Key Exchange Version 1 Denial of Service Vulnerability
-Cisco IOS and IOS XE Software Internet Key Exchange Memory Leak Vulnerability
-Cisco IOS XE Software Internet Group Management Protocol Memory Leak Vulnerability
-Cisco IOS XE Software Zone-Based Firewall IP Fragmentation Denial of Service Vulnerability
-Cisco IOS Software Integrated Services Module for VPN Denial of Service Vulnerability
-Cisco IOS and IOS XE Software DHCP Version 4 Relay Denial of Service Vulnerability
-Cisco IOS and IOS XE Software DHCP Version 4 Relay Reply Denial of Service Vulnerability
-Cisco IOS and IOS XE Software DHCP Version 4 Relay Heap Overflow Denial of Service Vulnerability
-Cisco IOS and IOS XE Software Bidirectional Forwarding Detection Denial of Service Vulnerability
-Cisco IOS XE Software Arbitrary File Write Vulnerability
-Cisco IOS XE Software Web UI Cross-Site Scripting Vulnerabilities
-Cisco IOS Software Login Enhancements Login Block Denial of Service Vulnerabilities
-Cisco IOS XE Software Switch Integrated Security Features IPv6 Denial of Service Vulnerability
-Cisco IOS XE Software REST API Authorization Bypass Vulnerability
-Cisco IOS XE Software for Cisco 4000 Series Integrated Services Routers Privileged EXEC Mode Root Shell Access Vulnerability
-Cisco IOS XE Software Privileged EXEC Mode Root Shell Access Vulnerability
-Cisco IOS Software 802.1x Multiple-Authentication Port Authentication Bypass Vulnerability
-Cisco IOS XE Software CLI Command Injection Vulnerabilities
-Cisco IOS and IOS XE Software Forwarding Information Base Denial of Service Vulnerability

CVE References:  CVE-2018-0150, CVE-2018-0151, CVE-2018-0152, CVE-2018-0154, CVE-2018-0155, CVE-2018-0156, CVE-2018-0157, CVE-2018-0158, CVE-2018-0159, CVE-2018-0160, CVE-2018-0161, CVE-2018-0163, CVE-2018-0164, CVE-2018-0165, CVE-2018-0167, CVE-2018-0169, CVE-2018-0170, CVE-2018-0171, CVE-2018-0172, CVE-2018-0173, CVE-2018-0174, CVE-2018-0175, CVE-2018-0176, CVE-2018-0177, CVE-2018-0179, CVE-2018-0180, CVE-2018-0182, CVE-2018-0183, CVE-2018-0184, CVE-2018-0185, CVE-2018-0186, CVE-2018-0188, CVE-2018-0189, CVE-2018-0190, CVE-2018-0193, CVE-2018-0195, CVE-2018-0196

Suggested Action

CCIRC recommends that system administrators test and deploy the vendor-released updates to affected applications accordingly.

References:

Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/_fl/CCIRCPublicPGPKey.txt

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: ps.communications-communications.sp@canada.ca

Date modified: