Cisco fixes serious security flaws in networking, communications products

Some of the company's new updates address a known vulnerability in Apache Struts

Cisco Systems released software security updates Wednesday to address denial-of-service and arbitrary command execution vulnerabilities in several products, including a known flaw in the Apache Struts development framework used by some of them.

The company released new versions of Cisco IOS XR Software to fix an issue with handling fragmented packets that can be exploited to trigger a denial-of-service condition on various Cisco CRS Route Processor cards. The affected cards and the patched software versions available for them are listed in a Cisco advisory.

The company also released security updates for Cisco Identity Services Engine (ISE), a security policy management platform for wired, wireless, and VPN connections. The updates fix a vulnerability that could be exploited by authenticated remote attackers to execute arbitrary commands on the underlying operating system and a separate vulnerability that could allow attackers to bypass authentication and download the product's configuration or other sensitive information, including administrative credentials.

Cisco also released updates that fix a known Apache Struts vulnerability in several of its products, including ISE. Apache Struts is a popular open-source framework for developing Java-based Web applications.

The vulnerability, identified as CVE-2013-2251, is located in Struts' DefaultActionMapper component and was patched by Apache in Struts version 2.3.15.1 which was released in July.

The new Cisco updates integrate that patch into the Struts version used by Cisco Business Edition 3000, Cisco Identity Services Engine, Cisco Media Experience Engine (MXE) 3500 Series and Cisco Unified SIP Proxy.

"The impact of this vulnerability on Cisco products varies depending on the affected product," Cisco said in an advisory. "Successful exploitation on Cisco ISE, Cisco Unified SIP Proxy, and Cisco Business Edition 3000 could result in an arbitrary command executed on the affected system."

No authentication is needed to execute the attack on Cisco ISE and Cisco Unified SIP Proxy, but the flaw's successful exploitation on Cisco Business Edition 3000 requires the attacker to have valid credentials or trick a user with valid credentials into executing a malicious URL, the company said.

"Successful exploitation on the Cisco MXE 3500 Series could allow the attacker to redirect the user to a different and possibly malicious website, however arbitrary command execution is not possible on this product," Cisco said.

Security researchers from Trend Micro reported in August that Chinese hackers are attacking servers running Apache Struts applications by using an automated tool that exploits several Apache Struts remote command execution vulnerabilities, including CVE-2013-2251.

The existence of an attack tool in the cybercriminal underground for exploiting Struts vulnerabilities increases the risk for organizations using the affected Cisco products.

In addition, since patching CVE-2013-2251 the Apache Struts developers have further hardened the DefaultActionMapper component in more recent releases.

Struts version 2.3.15.2, which was released in September, made some changes to the DefaultActionMapper "action:" prefix that's used to attach navigational information to buttons within forms in order to mitigate an issue that could be exploited to circumvent security constraints. The issue has been assigned the CVE-2013-4310 identifier.

Struts 2.3.15.3, released on Oct. 17, turned off support for the "action:" prefix by default and added two new settings called "struts.mapper.action.prefix.enabled" and "struts.mapper.action.prefix.crossNamespaces" that can be used to better control the behavior of DefaultActionMapper.

The Struts developers said that upgrading to Struts 2.3.15.3 is strongly recommended, but held back on releasing more details about CVE-2013-4310 until the patch is widely adopted.

It's not clear when or if Cisco will patch CVE-2013-4310 in its products, giving that the fix appears to involve disabling support for the "action:" prefix. If the Struts applications in those products use the "action:" prefix the company might need to rework some of their code.

Join the PC World newsletter!

Error: Please check your email address.

Tags patchesCisco Systemstrend microNetworkingsecuritypatch managementExploits / vulnerabilities

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Essentials

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?