Operating System:

[Cisco]

Published:

19 April 2018

Protect yourself against future threats.

//Service

Member Security Incident Notifications

Be proactive with your security and receive our daily Member Security Incident Notifications (MSINs) custom to your network.

Read more
Resources > Security Bulletins > ESB-2018.1221 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.1221
         Cisco AMP for Endpoints macOS Connector DMG File Malware
                           Bypass Vulnerability
                               19 April 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco AMP for Endpoints macOS Connector
Publisher:         Cisco Systems
Operating System:  Cisco
Impact/Access:     Reduced Security -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-0237  

Original Bulletin: 
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-amp

- --------------------------BEGIN INCLUDED TEXT--------------------

Cisco AMP for Endpoints macOS Connector DMG File Malware Bypass Vulnerability

Medium

Advisory ID:      cisco-sa-20180418-amp

First Published:  2018 April 18 16:00 GMT

Version 1.0:      Final

Workarounds:      No workarounds available

Cisco Bug IDs:    CSCve34034
                  CVE-2018-0237
                  CWE-20
 
CVSS Score: 5.8

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N/E:X/RL:X/RC:X

Summary

  o A vulnerability in the file type detection mechanism of the Cisco Advanced
    Malware Protection (AMP) for Endpoints macOS Connector could allow an
    unauthenticated, remote attacker to bypass malware detection.

    The vulnerability occurs because the software relies on only the file
    extension for detecting DMG files. An attacker could exploit this
    vulnerability by sending a DMG file with a nonstandard extension to a
    device that is running an affected AMP for Endpoints macOS Connector. An
    exploit could allow the attacker to bypass configured malware detection.

    There are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20180418-amp

Affected Products

  o Vulnerable Products

    This vulnerability affects the macOS Connector of Cisco Advanced Malware
    Protection (AMP) for Endpoints. For information about affected software
    releases, consult the Cisco bug ID(s) at the top of this advisory.

    Products Confirmed Not Vulnerable

    No other Cisco products are currently known to be affected by this
    vulnerability.

    The following Cisco products are confirmed as not vulnerable:
      - AnyConnect Secure Mobility Client for iOS
      - AnyConnect Secure Mobility Client for Mac OS X
      - AMP for Endpoints Windows Connector
      - AMP for Endpoints Linux Connector
      - AMP for Endpoints iOS Connector
      - AMP for Endpoints Android Connector
      - Content Security Management Appliance
      - Email Security Appliance
      - Web Security Appliance

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o For information about fixed software releases, consult the Cisco bug ID(s)
    at the top of this advisory.

    When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page, to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is aware of a
    public announcement of this vulnerability. However, there have been no
    reports of malicious use of the vulnerability that is described in this
    advisory.

Source

  o Cisco would like to thank Yakov Shafranovich of Nightwatch Cybersecurity
    Research for reporting this vulnerability.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy. This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

  o Subscribe

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20180418-amp

Revision History

  o 
    +----------+----------------------------+----------+---------+----------------+
    | Version  |        Description         | Section  | Status  |      Date      |
    +----------+----------------------------+----------+---------+----------------+
    | 1.0      | Initial public release.    | --       | Final   | 2018-April-18  |
    +----------+----------------------------+----------+---------+----------------+

- -------------------------------------------------------------------------------

Legal Disclaimer

  o THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND
    OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR
    FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT
    OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES
    THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

    A standalone copy or paraphrase of the text of this document that omits the
    distribution URL is an uncontrolled copy and may lack important information
    or contain factual errors. The information in this document is intended for
    end users of Cisco products.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy. This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWtgwfYx+lLeg9Ub1AQi/Og//SKUQVzyo2xfytUKm4lvijHDNBR1ItjtY
VH0L42IDj5aFJxCNaK79eXV2aeNoEh5EIeKJRkoaoLqe9x2P5yBccR+DYvqecY+K
kgkeQ+O32MIek9YvjdxtSjMxEwu/tz9jEp+SV684OKNdvRNKoD9Qr2gdpIf0WLk8
EQagaBYChKDIm7LRiTNBw0HoIMQZNoMnh+55XMoAilwvsInVGt18w0GZ9rglM6kl
3MPflpZI/QxaQ2/31N37JRnCj0ZeoBn+9/aWvqW8dWvyPN3TBMfzYol6Gfa4YVnw
w8BHYnNtRakxvtMPYMIegXEUy4pyqiseP6AF0cOsEspkobEe//cLmUyKO2hes8d7
2JmgOQuVAleMGgDenAYi9UNNQug398pa1k6D0R3vk/KM04uk0AHoKOGLhB5BtfOP
pYCj5lFgMoin7x3wvIGxNMkn8GjSICctdH0QC33CQyguKgFe7NS4AVq+PjUIhgfW
UwMQCfvztCtpbimBaYbzgUbWCUIshwTpYS6dQ8xM1Sg7jEwgc47KG4l/HQ9SkpJR
7p9fefOBpkHfbhv51IUmFQVPqcc8krm7wIrdKAf6Jlg9SUvJecN2geOcIAn0uBY0
5FIpRB2W7YjKNyemqvYw49W+PO4L0nuKxAdGom3Ry5azsqNmntquqqvBXzRG7c8s
RvtFkog8zoM=
=8ag/
-----END PGP SIGNATURE-----