Multiple Cisco Security Vulnerabilities (ASA, CUCM, WLC, etc.)

Hello,


On April 20th, Cisco released multiple advisories detailing security vulnerabilities that affect a wide range of their products including ASA firewall, Unified Communications Manager (CUCM), WLC and more. The vulnerabilities, if exploited, would allow an attacker to launch a denial-of-service (DoS) attack on the device, possibly resulting in service disruption.

The vulnerabilities details and remedies are listed below.
It is advised that you check if any component of your network is affected, and if so, to patch it the soonest to prevent a potential breach.





libSRTP DoS Vulnerability (CVE-2015-6360):
The vulnerability is in the encryption processing subsystem of libSRTP (a Secure Real-Time Transport Protocol -SRTP- library). It could allow an unauthenticated, remote attacker to trigger a DoS condition. The vulnerability is due to improper input validation of certain fields of SRTP packets. An attacker could exploit this vulnerability by sending a crafted SRTP packet designed to trigger the issue to an affected device. Cisco released version 1.5.3 of libSRTP to address this issue which affects multiple products (including ASA, CUCM and IOS XE).

ProductBugIDFixed Release
Collaboration and Social Media
Cisco WebEx Meetings Server versions 1.xCSCux00729
Cisco WebEx Meetings Server versions 2.xCSCux007292.6.1 and 2.7 (June 2016)
Endpoint Clients and Client Software
Cisco JabberCSCux0071111.6
Network and Content Security Devices
Cisco Adaptive Security Appliance (ASA) Software1CSCux006868.4.7.31
9.1.7
9.2.4.6
9.3.3.8
Routing and Switching - Enterprise and Service Provider
Cisco IOS XE Software2CSCux043173.14.3S
3.13.5S
3.16.2S
3.10.7S
3.17.1S
3.15.3S
Voice and Unified Communications Devices
Cisco IP Phone 88x1 SeriesCSCux0070811.0(1)
Cisco DX Series IP PhonesCSCux0069710.2(5)
Cisco IP Phone 88x5 SeriesCSCux0074811.0(1)
Cisco Unified 7800 Series IP PhonesCSCux0074211.0(1)
Cisco Unified 8831 Series IP Conference PhoneCSCux01782
Cisco Unified 8961 IP PhoneCSCux007079.4(2)SR3 (August 2016)
Cisco Unified 9951 IP PhoneCSCux007079.4(2)SR3 (August 2016)
Cisco Unified 9971 IP PhoneCSCux007079.4(2)SR3 (August 2016)
Cisco Unified Communications Manager (UCM)CSCux0071610.5(2)SU3
Cisco Unified Communications Manager Session Management Edition (SME)CSCux0071610.5(2)SU3
Cisco Unified IP Phone 7900 SeriesCSCux007459.4(2)SR2
Cisco Unified IP Phone 8941 and 8945 (SIP)CSCux01786
Cisco Unified Wireless IP PhoneCSCux378021.4.8.4
Cisco Unity Connection (UC)CSCux3556810.5(2)SU3


ASA DHCPv6 Relay DoS Vulnerability (CVE-2016-1367):
A vulnerability in the DHCPv6 relay feature of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause an affected device to reload.
The vulnerability is due to insufficient validation of DHCPv6 packets. An attacker could exploit this vulnerability by sending crafted DHCPv6 packets to an affected device, resulting in a denial of service (DoS) condition.

ProductBugIDAffected VersionsConditionFixed Release
ASA 5500-X Series
CSCus23248
9.4.1
DHCPv6 relay feature is configured. Example:
asa#show running-config ipv6 dhcprelay
ipv6 dhcprelay enable outside
9.4(1.1)
9.4(2)
9.5(1)
9.5(2)
ASA Services Module for Catalyst 6500 and 7600 Routers
Cisco Adaptive Security Virtual Appliance (ASAv)


WLC Multiple DoS Vulnerabilities
  • CVE-2016-1363: WLC HTTP Parsing DoS Vulnerability
    The vulnerability is due to improper handling of HTTP traffic by the affected software. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to cause a buffer overflow condition. 
  • CVE-2016-1364: WLC Bonjour Task Manager DoS Vulnerability
    A vulnerability in the Bonjour task manager of WLC could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to improper handling of Bonjour traffic by the affected software.
  • CVE-2016-1362: WLC Management Interface DoS Vulnerability
    The vulnerability is due to the presence of unsupported URLs in the web-based device management interface provided by the affected software. An attacker could exploit this vulnerability by attempting to access a URL that is not generally accessible from and supported by the management interface.
ProductVulnerabilityCVEBugIDMajor ReleaseFirst Fixed Release
for this Vulnerability
First Fixed Release for all 3 WLC Vulnerabilities
WLC
HTTP Parsing DoS
CVE-2016-1363
CSCus25617
pre-7.2not affected-
7.28.0.132.0
8.0.132.0
7.38.0.132.0
7.47.4.140.0(MD)
7.58.0.132.0
7.68.0.132.0
8.08.0.115.0(ED)
8.1 and laternot affected-
WLC Bonjour Task Manager DoS
CVE-2016-1364
CSCur66908
pre-7.4not affected
8.0.132.0
7.47.4.130.0(MD)
7.58.0.132.0
7.68.0.132.0
8.08.0.110.0
8.1 and laternot affected-
Management Interface DoS
CVE-2016-1362
CSCun86747
4.x
8.0.132.0
8.0.132.0
5.x
6.5
7.0
7.1
7.2
7.3
7.47.4.130(MD)
7.58.0.132.0
7.67.6.120.0
8.0 and laternot affected-

--
Elie Bassil

Sources:

Data Consult Acquires WorldNet

Lebanon, 15 March 2016: Data Consult, a leading Information & Communications Technology (ICT) company with a multi-regional footprint across the Middle East and Africa, has acquired Worldnet, one of the leading Workspace Virtualization and Cloud Solutions provider in the region, Worldnet has joined Data Consult group of companies.


Data Consult has been recently engaged in steering its strategy to tackle head on the global ICT sector shifting trends, thus providing innovative solutions aligned with the market evolving needs. The acquisition is a result of six months of discussions between Data Consult and Worldnet, whereby both companies have acknowledged the major synergies they would deliver across the Middle East and Africa. The strategic and financial advisory firm, Creed Capital, has been involved in forming a nexus between both entities, conducting the due diligence and bringing the negotiations to a successful conclusion.


Commenting on the potential of said acquisition, Mr. Elias Houayek, CEO of Data Consult, stated: “We are indeed enthusiastic about the acquisition of Worldnet, representing an excellent addition to our Group. We are committed to securing all required investments to propel Worldnet capabilities so it can easily meet its clients evolving needs. This collaboration will allow us to provide greater value to our clients by relying on Worldnet’s expertise and Data Consult’s vast experience and deep knowledge of the earmarked region.”


Mr. Marc Nader, Data Consult’s Chief Operating Officer commented: “Worldnet will continue building on its pioneering projects as a Cloud and Workspace Virtualization specialist. Under Data Consult’s leadership, the company will be able to further specialize and deliver solutions to an increasing number of customers helping them realize their business outcomes through the promise of technology across areas like Operations Intelligence, Hybrid Cloud and the Mobile Digital Workspace.”


Mr. Paul Mrad, CEO of Worldnet, stated: “We are overjoyed to join forces with a prominent group such as Data Consult. We are confident that by coupling our established expertise with Data Consult regional presence and experience, we would succeed in delivering highly innovative ICT solutions to a larger number of corporations and SMEs in the region.”


Mr. Alexandre Ziad Karkour, Creed Capital CEO, commenting on Creed’s success in bringing this transaction to fruition: “We have been advising Data Consult on its strategic growth and consider this acquisition as a promising milestone in developing Data Consult’s capabilities as a regional powerhouse offering a comprehensive spectrum of technology solutions through the whole ICT pyramid.”


About Data Consult: founded in 1991, Data Consult has been working on delivering avant-garde, integrated ICT solutions in the Middle East and Africa regions. Data Consult has partnered with the best technology suppliers and has been consistently investing in trainings of its workforce. With over 150 highly skilled professionals dedicated to serving its clients, they’ve become a recognized industry leader, garnering more than 100 vendor and industry awards over the past two and a half decades. Presently, they are at the forefront of solution design, solution integration, project management and managed services.







About WorldNet: founded in 2004, WorldNet is one of the leading ICT Enterprise Solutions provider in the end-to-end Virtualization and Cloud Computing, for local, regional and multinational companies in the Levant, North Africa, Pakistan and Gulf countries. WorldNet is well know across the MENA region as a company focusing on Virtualization and Cloud Strategies. 
One of their state-of-art Workspace Virtualization project in Lebanon was at USEK University where they allowed students to run very Intensive Graphic and engineering applications from anywhere and on any BYOD device. This project was the first of its kind in the academic world outside of the US.


About Creed Capital: Creed Capital is a strategic consulting, corporate finance and M&A advisory firm with presence in Beirut, Paris, London and Mauritius and a regional access across the EMEA. Creed Capital focuses on serving leading companies and financial institutions across the EMEA region and beyond, and helping businesses in the lower and middle markets with all their growth challenges. Creed has consolidated its market knowledge and unrivalled network to consistently enhance opportunities for its clients. Its flexible yet disciplined approach brings the right set of skills to different business needs when and where they are required.

Locky Ransomware

What is a Ransomware?

A ransomware is a malicious program that denies the user access to their own files by hiding/scrambling the files and/or encrypting them with strong encryption algorithms. Then, it forces the victim to pay a ransom through online payment - usually bitcoin - in order to regain access to their data. This type of malware infects your computer or system through various attack vectors. They vary from malicious email attachments, malicious online ads and pop-ups, scam campaigns, to infected downloads. It is important to note that paying the ransom does not guarantee that the victim will regain their data back.

Locky

Locky is a relatively new ransomware which started attacking victims early 2016. Recently, Hollywood hospital paid around $17,000 to unlock its medical records due to such infection. In fact, several companies in Lebanon were infected and reverted back to us for help and guidance.
A user gets infected when interacting with malicious online ads and pop-ups. The most common attack vector used is through a Microsoft Word macro file from spam emails or mails from infected contacts. The MS Word macro file when downloaded advises the victim to enable macros if the data encoding is incorrect, as seen in the image below.
When you enable macros, it doesn’t really fix the text encoding as stated, but rather runs the code embedded in the document that drops a malicious file into your system. This malicious file connects to the internet to download Locky ransomware and then runs it.
After the main executable runs, Locky detects your security posture and tries to disable common controls. Then, it searches for common file extensions such as office documents, images, videos, and other data files to encrypt them with strong encryption mechanisms. It commonly uses RSA-4096 with AES-128 which will most likely guarantee that the attacker is the only party able to decrypt the files again. Moreover, some variants of the infection delete Volume Snapshot Service .vss shadow copies created by Microsoft Windows as live backup versions for files, so that the victim won't be able to restore their files to previous uninfected versions.
After encrypting your files, Locky may change your Desktop regularly to the below image or simply places image files in the same folder of the encrypted files to guide you through instructions. The links that appear below are TOR links hosted on the dark web to be accessed only using a TOR-based browser. Following the instructions, the victim may pay a ransom that varies between BTC 0.5 to BTC 1. BTC is short for bitcoin which is an e-currency currently worth of around $400. After paying the ransom, the victim will be provided with his decryption keys to gain their data back.
How to protect yourself?
In order to clean any personal desktop/laptop or infected server, follow the steps mentioned in the below guide by Malware-bytes. Note that most software products mentioned are free.
Malware Removal Guide for Windows

A user should follow certain precautions and steps in order to prevent getting affected by such infection and many other similar malicious programs. What we recommend you to do is detailed below:

Personal Users:

  • Use an up-to-date antivirus system
  • Install Adblock Plus extension on all your internet browsers: Install Adblock Plus
  • Try to avoid the use office macros and disable them: DisableMacros in Office documents
  • Don’t open email attachments from unknown contacts
  • Backup your critical files and save them on a remote storage
  • Keep your system up-to-date and patched
  • Don’t provide administrator privileges to running programs if you are not sure

IT Departments:

  • Restrict downloads of Microsoft Word macro files and disable them on your domain if possible
  • Use email filters to detect spam and malicious attachments. We suggest you use Cisco's Ironport Email Security Appliance
  • Use a web filter to disable online ads, pop-ups and blacklisted domains. We suggest you use BlueCoat Web Proxy
  • Restrict the download of malicious files and  executables. We suggest you use BlueCoat Web Proxy
  • Make sure your AV system is up-to-date
  • Backup your files regularly and keep a backup of critical data off-site
  • Only use administrator privilege/accounts when needed
  • In case of infection, always isolate the targets