A high-severity malware has been found to Cisco’s enterprise-class Industrial Network Director that allows remote attackers to hijack this industrial network and allows attackers for arbitrary code execution as the root user. The Cisco Industrial Network Director (IND) is designed to help operations teams gain full visibility of network and automation devices in the context of the automation process and provides improved system availability and performance, leading to increased Overall Equipment Effectiveness (OEE).
This remote code execution (RCE) flaw impacting Cisco IND is tracked as CVE-2019-1861. The improper validation of files uploaded to the affected application causes the vulnerability in the software update feature of Cisco Industrial Network Director. The attacker could authenticate the affected system using administrator privileges and uploading an arbitrary file to exploit this vulnerability. This impacted the versions of Industrial Network Director prior to the 1.6.0 release.
This security vulnerability is an unintended weakness in the product that could allow an attacker to compromise the integrity, availability, or confidentiality of the product.
Cisco issued software updates while there are no workarounds for this RCE vulnerability rated with a 7.2 CVSS 3.0 base score which addresses this vulnerability starting with Cisco IND 1.6.0. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license. In order to have malware protection, customers may only download software for which they have a valid license acquired directly from Cisco or through a Cisco authorized reseller or partner.
Cisco said that the vulnerability is due to insufficient controls for specific memory operations. An attacker could exploit this vulnerability by sending a malformed Extensible Messaging and Presence Protocol (XMPP) authentication request to an affected system. They also added that a successful exploit could allow the attacker to cause an unexpected restart of the authentication service, preventing users from successfully authenticating. Exploitation of this vulnerability does not impact users who were authenticated prior to an attack.
The Cisco Product Security Incident Response Team (PSIRT) is responsible for malware check to Cisco product security incidents. According to them, there are no malicious or active exploitation for the vulnerabilities described above has been detected.