Cisco hunts for Apache Struts 2 FileUpload bug and finds DIRTY CoW exploit

Credit: ID 45723755 © Mikhail Dudarev |

Cisco has started scouring its own products for the Apache Struts 2 flaw disclosed this week and says it accidentally shipped software with an exploit for the DIRTY CoW Linux kernel bug. 

The flaw affects versions Struts 2.3.36 and earlier, which by default use a fileupload library with a two year old critical flaw that could lead to remote code execution.

Cisco hasn’t confirmed any products are vulnerable but it will be updating this advisory if and when it finds any. 

“The vulnerability is due to insufficient validation of user-supplied input by the affected software,” Cisco noted. 

“An attacker could exploit this vulnerability by submitting crafted data to an affected system. A successful exploit could allow the attacker to execute arbitrary code or manipulate files on the targeted system."

Cisco also discovered that it accidentally left an exploit for the DIRTY CoW Linux kernel bug in Cisco Expressway Series and Cisco TelePresence Video Communication Server software. Cisco said there was a mistake in the final QA validation in the system it uses to build that software. The validation is meant to check Cisco's products has all the patches for that vulnerability.  

Cisco however notes that the “dormant exploit code” doesn’t create a risk for the product, nor makes them  vulnerable since patches for the flaw were in the affected software images. Still, it’s removed the affected images and will be replacing them with images that don’t contain the exploit.   

The company disclosed three more critical flaws affecting Stealthwatch Management Console (SMC) of Cisco Stealthwatch Enterprise, Cisco Small Business Switches software, and Cisco Unity Express (CUE). 

The Stealthwatch SMC bug is due to an insecure system configuration that could allow an unauthenticated remote attacker to gain administrative privileges.  It affects multiple major releases of Stealthwatch Enterprise. For release 6.10, it’s fixed in release 6.10.3. 

Read more: Common Bluetooth chip flaw strikes Cisco and Aruba wi-fi gear

Cisco discovered the bug during internal testing and isn’t aware of any attacks in the wild. 

Several of Cisco’s Small Business Switches are vulnerable to a software bug that could allow an attacker to bypass user authentication and execute code with admin privileges. 

Cisco doesn’t have a patch for affected systems yet, but it details a work around. Devices are vulnerable if no user accounts have been configured with access privileges set to “level 15”.   

The software by default creates a highly privileged user account for initial set up, which isn’t visible to an admin and can’t be removed from the system. An attacker can use this account to log in and execute code with full admin rights. 

An admin can disable the setup account by creating other user accounts set to level 15, but if all user-configured level 15 accounts are removed, the software revives the hidden set up account and doesn’t notify the admin. That’s when an attacker could exploit the flaw with full admin rights. 

The workaround involves creating one or more user accounts with access privileges set to level 15.    

Affected devices include Cisco Small Business 200 Series Smart Switches, Cisco Small Business 300 Series Managed Switches, Cisco Small Business 500 Series Stackable Managed Switches, Cisco 250 Series Smart Switches, Cisco 350 Series Managed Switches, Cisco 350X Series Stackable Managed Switches, and Cisco 550X Series Stackable Managed Switches. 

Cisco’s CUE contains a Java deserialization flaw that allows a remote attacker to execute shell commands at will as root user. Fortunately Cisco does have a patch available. The bug affects affects all CUE releases before 9.0.6.     

Read more: Cisco: hackers are attacking ASA and Firepower 0-day and there’s no patch

Cisco disclosed 11 more medium severity flaws on Wednesday that can be found here.  



Tags ciscolinux kernelapacheStruts

Show Comments