SB2018030912 - Multiple vulnerabilities in Cisco Secure Access Control

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Command injection (CVE-ID: CVE-2018-0147)

The vulnerability allows a remote attacker to execute arbitrary commands on the target system.

The weakness exists in Java deserialization due to insecure deserialization of user-supplied content. A remote attacker can send a specially crafted serialized Java object and execute arbitrary commands on the device with root privileges.

2) XXE attack (CVE-ID: CVE-2018-0218)

The vulnerability allows a remote attacker to conduct XXE attack.

The weakness exists in the web-based user interface due to improper handling of XML External Entities (XXEs) when parsing an XML file. A remote attacker can trick the administrator of an affected system to import a crafted XML file, perform XXE attack and read arbitrary data.

3) XXE attack (CVE-ID: CVE-2018-0207)

The vulnerability allows a remote attacker to conduct XXE attack.

The weakness exists in the web-based user interface due to improper handling of XML External Entities (XXEs) when parsing an XML file. A remote attacker can trick the administrator of an affected system to import a crafted XML file, perform XXE attack and read arbitrary data.

Remediation

Install update from vendor's website.

References

• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180307-acs2
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180307-acs1
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180307-acs