Cisco patched critical and high severity vulnerabilities in several products, including the Cloud Services Platform (CSP).
Cisco patched critical and high severity vulnerabilities in several products, including the Cloud Services Platform (CSP), the Firepower Extensible Operating System (FXOS) and NX-OS software, and some Small Business IP phones.
The most severe vulnerability patched in this round it the CVE-2017-12251, a critical unauthorized access flaw affecting the Cloud Services Platform 2100.
The Cloud Services Platform is used by many organizations to deploy Cisco and third-party network virtual services.
The vulnerability resides in the web console of the Cisco Cloud Services Platform (CSP) 2100 and could be exploited by a remote an authenticated attacker to interact maliciously with the services or virtual machines (VMs) on an affected CSP device.
“The vulnerability is due to weaknesses in the generation of certain authentication mechanisms in the URL of the web console. An attacker could exploit this vulnerability by browsing to one of the hosted VMs’ URLs in Cisco CSP and viewing specific patterns that control the web application’s mechanisms for authentication control.” reads the security advisory. “An exploit could allow the attacker to access a specific VM on the CSP, which causes a complete loss of the system’s confidentiality, integrity, and availability.”
The vulnerability affects the Cloud Services Platform 2100 versions 2.1.0, 2.1.1, 2.1.2, 2.2.0, 2.2.1 and 2.2.2. Cisco has addressed the vulnerability with the release of version 2.2.3.
According to Cisco, threat actors haven’t exploited the flaw in attacks in the wild.
“The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.” continues the security advisory.
To read the original articel: http://securityaffairs.co/wordpress/64531/hacking/cisco-cloud-services-platform-flaws.html