Specialists in information security training have reported the discovery of a dangerous malware in Industrial Network Director (IND), a Cisco enterprise-level solution, which could be abused by remote threat actors to take control of the network and execute arbitrary code with administrator privileges.
IND was designed to help organizations’
operational staff gain complete visibility into network and automation devices,
providing improved system availability and performance for the benefit of
code execution vulnerability has been tracked as CVE-2019-1861. According
to the information security training experts, this flaw resides in the IND
software update feature and exists due to incorrect validation of the files
uploaded to the application. Threat actors could exploit the flaw by
authenticating to the affected system with administrator privileges to upload
arbitrary files. It should be noted that the failure affects all versions of
IND prior to 1.6.0.
The company has already released security
patches for this flaw. There are currently no known workarounds, so vulnerable
deployment administrators are strongly encouraged to upgrade to the latest
According to the report of the members of the
information security training, the failure received a score of 7.2/10 on the
scale of the Common Vulnerability Scoring System (CVSS), so it is considered a
high severity error.
In a later release, Cisco mentioned that the
vulnerability exists due to insufficient controls for specific memory
operations: “A hacker can send a specially designed XMPP protocol
authentication request to attack the affected system,” the company says.
In addition, Cisco added that successfully exploiting the flaw would allow
hackers to force the restart of the authentication service from the affected
system, so some users would not be able to log in.
On the other hand, the Cisco Product Security Incident
Response Team (PSIRT) ensures that no cases of active exploitation of
this vulnerability have been detected so far, although the possibility has not
been ruled out, the Institute mentions the International Institute of Cyber Security