Cisco Service Provider, WebEx Bugs Offer Up Remote Code Execution
Cisco is warning of critical remote code-execution (RCE) vulnerabilities in the Cisco Prime Infrastructure (PI) and Evolved Programmable Network (EPN) Manager, which is used by telcos, mobile carriers, cable companies and ISPs to manage their hardware infrastructure. The vendor also issued estimated bug-fix dates for an unpatched, high-severity Secure Boot flaw that was disclosed on Monday; and addressed a high-severity flaw that would allow arbitrary code-execution on WebEx for Windows, Cisco’s widely deployed web conferencing and collaboration software. The newly disclosed critical issue consists of multiple vulnerabilities in the web-based management interface of the PI EPN manager, which could allow a remote attacker to execute arbitrary code with root privileges on the underlying operating system.
The manager controls the Cisco EPN, which brings software programmability and virtualization to the underlying physical hardware of a service provider network; its used to manage services, subscriber policies, bandwidth resources and more. The most concerning of the issues, CVE-2019-1821, can be exploited by an unauthenticated attacker that has network access to the affected administrative interface. The second and third issues, CVE-2019-1822 and CVE-2019-1823, require that an attacker have valid credentials to authenticate to the impacted administrative interface before exploitation can take place.