Cisco's subscriber management software needs immediate patch

Switchzilla's also looking for any Dirty COWs in its code

Service providers using Cisco' Prime to manage consumers' networks need to run in a critical patch.

The vulnerability Cisco turned up gives a remote attacker full administrative privileges over the system, thanks to its Web GUI.

A crafted HTTP request to a particular URL lets an attacker “obtain a valid session identifier for an arbitrary user” – all the way up to administrator.

The problem affects Cisco Prime Home versions 5.1.1.6 and earlier (all need to be migrated to 5.1.1.7), and 5.2.2.2 and earlier (migrate to 5.2.2.3); versions 6.0 and later are in the clear.

The other critical patch for this week is in the company's ASR 900 Series aggregation router: the remote POP device is subject to remote code execution.

“The vulnerability exists because the affected software performs incomplete bounds checks on input data,” the advisory says.

A malicious request to its TL1 port can force a reload of the router, opening the window for an attacker to execute arbitrary code, get control, or force a reload.

The bug is present on ASR 901, ASR 901 10G, ASR 901S, and ASR 920 routers, running versions 3.17.0S, 3.17.1S, 3.17.2S, 3.18.0S, and 3.18.1S of in the IOS XE software.

Switchzilla also recommends sysadmins with ASR 900s run a stack trace to see if they've been compromised. The indicator is that the TL1 helper process has crashed. You'll see a message like this:

Exception to IOS Thread: Frame pointer 0x348D3D18, PC = 0x150255E4

UNIX-EXT-SIGNAL: Segmentation fault(11), Process = TL1 Helper Process -Traceback= 1#c2f8cd10bbd769d41be54f5792c0ec33 :10000000+50255E4 :10000000+33DEED0 :10000000+33DEED0 :10000000+33D6718 :10000000+33D5444

Infrastructure Access Control (IAC) lists can be used as a workaround, and a patch is available.

Other advisories that landed today (US time) include:

Finally, Switchzilla has announced it's investigating whether any of its Linux kernel implementations are herding a Dirty COW. ®


Biting the hand that feeds IT © 1998–2017