Cisco fixed a hole in the company’s Cloud Services Platform as well as WPA2 vulnerabilities that can end up exploited in the KRACK attacks.
Cisco is still working on finishing the list of its products that suffer from the one or more of the ten vulnerabilities affecting WPA and WPA2 discovered by researcher Mathy Vanhoef.
“Among these ten vulnerabilities, only one (CVE-2017-13082) may affect components of the wireless infrastructure (for example, Access Points), the other nine vulnerabilities affect only client devices,” Cisco officials said.
CVE-2017-13082 is also the only vulnerability for which there is a workaround because it affects only deployments that support the fast BSS transition (FT) feature and have it enabled.
For the rest, Cisco sent out security updates or is in the process of doing so.
Click here for a list of affected devices – routers, IP phones, access points, endpoint clients and client software.
The Cloud Services Platform vulnerability ended up discovered by Chris Day, a security consultant with MWR InfoSecurity.
The web console flaw could allow an authenticated, remote attacker to interact with the services or virtual machines operating remotely on an affected CSP device.
“The vulnerability is due to weaknesses in the generation of certain authentication mechanisms in the URL of the web console. An attacker could exploit this vulnerability by browsing to one of the hosted VMs’ URLs in Cisco CSP and viewing specific patterns that control the web application’s mechanisms for authentication control. An exploit could allow the attacker to access a specific VM on the CSP, which causes a complete loss of the system’s confidentiality, integrity, and availability,” the company said in a post.
Cisco released software updates that address this vulnerability. There is no workaround for the flaw, so users can download and implement Cisco Cloud Services Platform Release 2.2.3 or later.