You are here

V -209:Cisco WAAS (Wide Area Application Services) Arbitrary Code Execution Vulnerabilities

August 2, 2013 - 2:25am

Addthis

PROBLEM:

Two vulnerabilities have been reported in Cisco WAAS (Wide Area Application Services), which can be exploited by malicious users and malicious people to compromise a vulnerable system.

PLATFORM:

Versions 5.0.x, 5.1.x, and 5.2.x.

ABSTRACT:

Cisco Wide Area Application Services (WAAS) when configured as Central Manager (CM), contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the affected system.

REFERENCE LINKS:

Secunia Advisory SA54372
CVE-2013-3443  
CVE-2013-3444 

IMPACT ASSESSMENT:

High

DISCUSSION:

Multiple Cisco content network and video delivery products contain a vulnerability when they are configured to run in central management mode. This vulnerability could allow an authenticated but unprivileged, remote attacker to execute arbitrary code on the affected system and on the devices managed by the affected system.An error within the web service framework can be exploited to execute arbitrary code via a specially crafted POST request.Successful exploitation of this vulnerability requires the device to be configured as Central Manager.An error within the web framework can be exploited inject and execute arbitrary commands.Successful exploitation of this vulnerability requires the device to be configured to run in central management mode.The vulnerabilities are reported in 4.x versions later than 4.2.1.

IMPACT:

 System access

SOLUTION:

 
Upgrade to version 5.0.3e, 5.1.1c, or 5.2.1.

Addthis