Cisco 6Ô¶à¸ö°²È«·ì϶

°ä²¼¹¦·ò 2021-06-04

0x00 ·ì϶¸ÅÊö

2021Äê06ÔÂ02ÈÕ £¬Cisco°ä²¼°²È«²¼¸æ £¬½¨¸´ÁËÔ̺¬Webex Player¡¢SD-WAN Èí¼þºÍ ASR 5000 ϵÁÐÈí¼þÖеĶà¸ö°²È«·ì϶ £¬¹¥»÷ÕßÄܹ»Í¨¹ýÀûÓÃÕâЩ·ì϶ÌáÉýȨÏÞ»òÔÚÊÜÓ°ÏìµÄϵͳÉÏÖ´ÐÐËÁÒâ´úÂë¡£

 

0x01 ·ì϶ÏêÇé

image.png

 

ÔÚ±¾´Î½¨¸´µÄ¸ßΣ·ì϶ÖÐ £¬CVE-2021-1503¡¢CVE-2021-1526ºÍCVE-2021-1502¶¼ÊÇCisco WebexÖеÄÄÚ´æ°Ü»µ·ì϶ £¬CVSSÆÀ·Ö¾ùΪ7.8¡£ÓÉÓڶԸ߼¶Â¼ÔìÌåʽ (ARF) »ò Webex ¼ÔìÌåʽ (WRF) µÄ Webex ¼ÔìÎļþÖеÄÖµÑéÖ¤²»¼° £¬¹¥»÷ÕßÄܹ»Í¨¹ýÁ´½Ó»òµç×ÓÓʼþ¸½¼þÏòÓû§·¢ËͶñÒâ ARF »ò WRF Îļþ²¢ÓÕµ¼Óû§´ò¿ª¸ÃÎļþÀ´ÀûÓÃÕâЩ·ì϶ £¬×îÖÕµ¼Ö¹¥»÷ÕßʹÓÃÖ¸±êÓû§µÄȨÏÞÔÚÊÜÓ°ÏìµÄϵͳÉÏÖ´ÐÐËÁÒâ´úÂë¡£

CVE-2021-1528ÊÇCisco SD-WAN Èí¼þCLI ÖеÄÒ»¸öÌáȨ·ì϶ £¬CVSSÆÀ·ÖΪ7.8 £¬ÓÉÓÚÊÜÓ°ÏìµÄÈí¼þûÓÐÕýÈ·Ï޶ȶÔÌØȨ¹ý³ÌµÄ½Ó¼û £¬¾­¹ýÉí·ÝÑéÖ¤µÄ±¾µØ¹¥»÷ÕßÄܹ»Í¨¹ýŲÓÃÊÜÓ°ÏìϵͳÖеÄÌØȨ¹ý³ÌÀ´ÀûÓô˷ì϶ £¬×îÖÕ¿ÉÄÜʹÓÃrootÓû§µÄȨÏÞÖ´ÐвÙ×÷¡£

CVE-2021-1539ºÍCVE-2021-1540ÊÇCisco ASR 5000 ϵÁÐÈí¼þ (StarOS) ÊÚȨ¹ý³ÌÖеķì϶ £¬CVSSÆÀ·Ö±ðÀëΪ8.1ºÍ6.5¡£ÓÉÓڷǽ»»¥Ê½ CLI ºÅÁîµÄÃýÎóÊÚȨ £¬¹¥»÷ÕßÄܹ»Í¨¹ýÏòÊÜÓ°ÏìµÄÉ豸·¢ËͶñÒâSSHÒªÇóÀ´ÀûÓô˷ì϶ £¬×îÖÕ¾­¹ýÉí·ÝÑéÖ¤µÄÔ¶³Ì¹¥»÷Õß¿ÉÄÜÈƹý TACACS ÊÚȨ»ònocli ÊÚȨ £¬²¢ÔÚÊÜÓ°ÏìµÄÉ豸ÉÏÖ´ÐÐ CLI ºÅÁî¡£

 

CVE-ID

ÀàÐÍ

Ó°Ïì

Ó°ÏìÁìÓò

CVE-2021-1502

ÑéÖ¤²»¼°¡¢ÄÚ´æ°Ü»µ

ËÁÒâ´úÂëÖ´ÐÐ

Windows   ºÍ macOS °æ£º Cisco Webex Network Recording Player¼°41.4°æ±¾Ö®Ç°µÄCisco Webex Player

CVE-2021-1503

Windows   ºÍ macOS °æ£º Cisco Webex Network Recording Player¼°41.2°æ±¾Ö®Ç°µÄCisco Webex Player

CVE-2021-1526

Windows   ºÍ MacOS °æ£º

41.5°æ±¾Ö®Ç°µÄ Cisco Webex Player

CVE-2021-1528

½Ó¼ûÏ޶Ȳ»µ±

ȨÏÞÌáÉý

ÔËÐÐCisco¡¡SD-WAN Èí¼þ°æ±¾20.4¡¢20.5µÄÒÔϲúÆ·£º

SD-WAN   vBond Orchestrator Software

SD-WAN   vEdge Cloud Routers

SD-WAN   vEdge Routers

SD-WAN   vManage Software

SD-WAN   vSmart Controller Software

CVE-2021-1539

ÊÚȨÃýÎó

TACACS   ÊÚȨÈƹý

ÔËÐÐCisco¡¡StarOS °æ±¾£¨21.16֮ǰ°æ±¾¡¢21.16¡¢21.17¡¢21.18¡¢21.19¡¢21.19.n¡¢21.20£©µÄÒÔÏÂCisco²úÆ·£º

ASR   5000 Series Aggregation Services Routers

Virtualized   Packet Core ¨C Distributed Instance (VPC-DI)

Virtualized   Packet Core ¨C Single Instance (VPC-SI)

CVE-2021-1540

nocli   ÊÚȨÈƹý

 

0x02 ´ëÖý¨Òé

Ä¿Ç°CiscoÒѾ­½¨¸´ÁËÕâЩ·ì϶ £¬½¨Òé²Î¿¼¹Ù·½°²È«²¼¸æʵʱÉý¼¶¸üУº

²Î¿¼Ïνӣº

https://tools.cisco.com/security/center/publicationListing.x

 

0x03 ²Î¿¼Á´½Ó

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asr5k-autho-bypass-mJDF5S7n

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-player-kOf8zVT

https://securityaffairs.co/wordpress/118564/security/cisco-webex-player-sd-wan-asr-5000-flaws.html?

 

0x04 ¹¦·òÏß

2021-06-02  Cisco°ä²¼°²È«²¼¸æ

2021-06-04  VSRC°ä²¼°²È«¹«¸æ

 

0x05 ¸½Â¼

 

CVSSÆÀ·Ö³ß¶È¹ÙÍø£ºhttp://www.first.org/cvss/

image.png