Polls

Is there an unsecured wireless network near you?
 
Yes, this is our third Cisco story of the day. It's about 23 bugs you need to fix, stat
Thursday, 22 June 2017 17:02

We all know the only thing more fun than a WebEx conference is a recorded WebEx conference, which is why WebEx Network Recording Player exists – and if you use it, you need to patch it.

Switchzilla's 23-patch Wednesday Whack-a-Mole includes fixes for multiple buffer overrun WebEx vulnerabilities.

The WebEx vulns can be exploited by sending a victim an Advanced Recording Format (ARF) file. If they're the kind of tragic who can be convinced to spend part of their life replaying a Web conference, their machine will crash, opening the gate to remote code execution.

The software is part of the WebEx Business Suite; affected builds are listed on the advisory, and if you can't patch, Cisco provides instructions for removing the software entirely.

There are two other high-rated bugs splatted today, one in a Cisco Prime network management product, the other in its Virtualised Packet Core environment.

The Cisco Prime Infrastructure and Evolved Programmable Network Manager has an XML injection bug. The upside is that it's only exploitable by someone with valid credentials.

Users of the company's Virtualized Packet Core-Distributed Instance are exposed to a denial-of-service vulnerability: processes can be crashed by crafted IPv4 UDP packets.

The remainder are outlined below.

Prime Infrastructure5
Prime Collaboration Provisioning4
Firepower Management Center3
Identity Services Engine2
IOS XR2
Wide Area Application Services1
Unified Contact Center1
SocialMiner1
StarOS for ASR 50001

For all you completists out there, here's Cisco's full list of vulns. And SEC Consult, which found four of the holes (CVE-2017-6662, CVE-2017-6698, CVE-2017-6699, and CVE-2017-6700), has a writeup of the coding cockups it report to Cisco here. ®

Source: http://bit.ly/2sWB56z