Because Cisco is a major part of the technology community, cybersecurity issues at the networking equipment maker are a huge deal for everyone in the IT world. In the month of September alone, there were numerous vulnerabilities patched for various Cisco products. The newest issue to arise for Cisco involves command injection and execution vulnerabilities. On September 21, Cisco announced three different cases, two of which have patches while the other does not at this time.
The first vulnerability with a patch is CVE-2016-6373, which affects Cisco Cloud Services Platform 2100. The vulnerability involves the ability for command injection by a remote threat actor at root-access level. The patch report states that "the vulnerability is due to insufficient sanitization of user-supplied input." CVE-2016-6373 has been judged to be a "Critical" flaw that needs to be patched as soon as possible.
The second patched vulnerability, CVE-2016-6374, also affects the CSP Platform 2100. In this case, arbitrary code can be remotely executed via a dnslookup request to the target system. What has created this particular flaw, according to Cisco, is "insufficient sanitization of specific values received as part of a user-supplied HTTP request." CVE-2016-6374 is ranked as "High" on the CVSS scale, so patching is advised once again as quickly as possible.
Cisco's third reported vulnerability may not be as dangerous as far as the CVSS ranking is concerned (Base 6.8), but it has no patch or workaround. Since there is no fix, CVE-2016-6414 is probably the most concerning of the three vulnerabilities. Occurring in Cisco's IOS and IOS XE software, this flaw gives attackers the chance to execute various commands in the IOx Linux guest operating system (GOS). The vulnerability results from "insufficient input validation of iox command-line arguments." It is difficult to tell security divisions and Sys Admins what they should do in light of CVE-2016-6414 without patches or official workarounds. The best advice I could possibly give in this particular instance is to disable the IOS and IOS XE software until Cisco releases a solution.
With so many security instances in one month, hopefully Cisco and its users, which are many in the IT world, can catch a break soon.
Photo credit: J Chou