This week, Cisco has addressed multiple security vulnerabilities that had affected various Cisco products. Cisco had patched several critical security flaws that could permit a hacker to remotely attack a system, execute arbitrary commands, or bypass user authentication. In one of the advisories released by Cisco, a QA failure has been addressed. Cisco had mistakenly leaked an in-house Dirty COW exploit code in two of its software.
According to the advisory released by Cisco this week, the vendors accidentally leaked a Dirty COW exploit code in their software. The company admitted it as their internal quality assurance failure which had resulted in the accidental release of the exploit code used in-house for validation purposes.
A failure occurred in the final QA validation step of the automated software build system for the Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) software which accidentally allowed a set of samples, dormant exploit code used internally by Cisco in validation scripts to be included in shipping software images. This includes an exploit for the Dirty CoW vulnerability (CVE-2016-5195).
This issue was noticed by the company during their internal security testing and they disclosed the matter to the public. The issue apparently affected the recent versions of the affected software. It affected the Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) image versions X8.9 through X8.11.3. However, versions before X8.9 are not affected by this issue.
Cisco Confirms No Security Risks
Dirty COW vulnerability which has been dubbed as CVE-2016-5195 was a privilege escalation flaw mainly affecting Linux Kernel’s copy-on-write (COW) feature. But in 2017, it was found to be affecting Androids also.
In both the cased, the issue however does not have any remarkable security threats to the users due to the dormancy of the code. Cisco also confirms that the software carrying the exploit codes also carry the patches.
Cisco also removed the images carrying the exploit codes from the Cisco Software Center. They promised to replace them with ‘fixed software images’ at the earliest.