Cisco snaps shut remote pwnage hole in Cloud Services Platform
Flaw allowed hijacking via HTTP snippets
Cisco has provided a patch to address a remote hijacking vulnerability in its Cloud Services Platform (CSP).
Switchzilla said that all customers who run CSP 2100 software should install the 2.1.0 update to close a remote code execution flaw it considers to be a high security risk.
Designed as an efficient way to manage virtualized network services and components, CSP is installed as a Linux x86 virtual machine built into a Cisco network appliance. The system includes a web-based GUI for device management.
Cisco says that the flaw (CVE-2016-6374) allows an attacker to send malformed HTTP requests to achieve remote code execution.
Specifically, Cisco warns, the attacker will be able to shoot the targeted system a poisoned DNS-lookup request through the CSP web interface. That attacker could then execute commands on the server without the need for further authentication.
Cisco noted that, aside from installing the update, there are no known mitigations for the vulnerability. No other Cisco appliances or hardware are believed to be subject to the flaw, and Cisco says it is not aware of any attempts to exploit the vulnerability in the wild.
The patch comes just three days after Cisco issued a fix for another high-severity flaw in its IOS platform.
That flaw, spotted during the "Shadow Brokers" review, allowed for a cock-up in the handling of IKE requests to open up memory contents to a remote attacker, potentially allowing for information disclosure. ®