-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2019.0488.4
       Container Privilege Escalation Vulnerability Affecting Cisco
                          Products: February 2019
                               20 March 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco products
                   Cisco Container Platform
                   Cisco Defense Orchestrator
Publisher:         Cisco Systems
Operating System:  Cisco
Impact/Access:     Root Compromise -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-5736  

Reference:         ESB-2019.0466
                   ESB-2019.0458
                   ESB-2019.0428
                   ESB-2019.0427

Original Bulletin: 
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190215-runc

Revision History:  March    20 2019: Updated list of vulnerable products
                   March    11 2019: Updated to version 1.5 from vendor
                   February 21 2019: Updated list of products under investigation, 
                                     vulnerable and confirmed not vulnerable
                   February 18 2019: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Container Privilege Escalation Vulnerability Affecting Cisco Products: February
2019

Priority:        High

Advisory ID:     cisco-sa-20190215-runc

First Published: 2019 February 15 17:00 GMT

Last Updated:    2019 March 15 19:59 GMT

Version 1.6:     Final

Workarounds:     No workarounds available

CVE-2019-5736    

CWE-264

Summary

  o A vulnerability in the Open Container Initiative runc CLI tool used by
    multiple products could allow an unauthenticated, remote attacker to
    escalate privileges on a targeted system.

    The vulnerability exists because the affected software improperly handles
    file descriptors related to /proc/self/exe . An attacker could exploit the
    vulnerability either by persuading a user to create a new container using
    an attacker-controlled image or by using the docker exec command to attach
    into an existing container that the attacker already has write access to. A
    successful exploit could allow the attacker to overwrite the host's runc 
    binary file with a malicious file, escape the container, and execute
    arbitrary commands with root privileges on the host system.

    This advisory will be updated as additional information becomes available.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20190215-runc

Affected Products

  o The Vulnerable Products section will include Cisco bug IDs for each
    affected product or service. The bugs will be accessible through the Cisco
    Bug Search Tool and contain additional platform-specific information,
    including workarounds (if available) and fixed software releases.

    Vulnerable Products

    The following table lists Cisco products that are affected by the
    vulnerability that is described in this advisory. If a future release date
    is indicated for software, the date provided represents an estimate based
    on all information known to Cisco as of the Last Updated date at the top of
    the advisory. Availability dates are subject to change based on a number of
    factors, including satisfactory testing results and delivery of other
    priority features and fixes. If no version or date is listed for an
    affected component (indicated by a blank field and/or an advisory
    designation of Interim), Cisco is continuing to evaluate the fix and will
    update the advisory as additional information becomes available. After the
    advisory is marked Final, customers should refer to the associated Cisco
    bug(s) for further details.

              Product            Cisco Bug      Fixed Release Availability
                                     ID
                        Network Management and Provisioning
    Cisco Container Platform     CSCvo33929 3.1.0 (Mar 2019)
              Routing and Switching - Enterprise and Service Provider
    Viptela vContainer           CSCvo36349
                            Cisco Cloud Hosted Services
    Cisco Cloudlock              CSCvo37511 Cisco will update affected systems
                                            in Sept 2019
    Cisco Defense Orchestrator   CSCvo42107 Cisco updated affected systems
                                            On-prem: 19.8 (Available)
    Cisco Smart Software Manager CSCvo49760
    Satellite

   
    Products Confirmed Not Vulnerable

    Only products and services listed in the Vulnerable Products section of
    this advisory are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect the following
    products and services:

    Network Application, Service, and Acceleration
       Cisco Adaptive Security Appliance (ASA) Software

    Network and Content Security Devices
       Cisco ASA CX
       Cisco ASA Next-Generation Firewall Services
       Cisco Firepower 9000 Series - Integrated Management Controller
       Cisco Identity Services Engine (ISE)

    Network Management and Provisioning
       Cisco Data Center Network Manager
       Cisco Jasper Control Center
       Cisco Managed Services Accelerator
       Cisco Policy Suite
       Cisco Virtual Topology System (formerly Cisco Virtual Systems
        Operations Center) - VTSR VM
       Cisco Virtualized Infrastructure Manager

    Routing and Switching - Enterprise and Service Provider
       Cisco 4000 Series Integrated Services Routers - IOx feature
       Cisco Application Policy Infrastructure Controller (APIC)
       Cisco DNA Center
       Cisco IOS XR Software
       Cisco Industrial Ethernet 4000 Series Switches (IOx feature)
       Cisco Nexus 3000 Series Switches
       Cisco Nexus 9000 Series Fabric Switches in Application Centric
        Infrastructure (ACI) mode
       Cisco Nexus 9000 Series Switches in standalone NX-OS mode
       Cisco Virtual Application Policy Infrastructure Controller (APIC)

    Unified Computing
       Cisco Enterprise NFV Infrastructure Software (NFVIS)
       Cisco HyperFlex System
       Cisco Intersight
       Cisco UCS 6200 Series Fabric Interconnects
       Cisco UCS B-Series M3 Blade Servers
       Cisco UCS Fabric Interconnects
       Cisco UCS Manager

    Cisco Cloud Hosted Services
       Cisco Metacloud
       Cisco Umbrella
       Cisco Webex Teams (formerly Cisco Spark)


Workarounds

  o Any workarounds for a specific Cisco product or service will be documented
    in the relevant Cisco bugs, which are identified in the Vulnerable Products
    section of this advisory.

Fixed Software

  o For information about fixed software releases , consult the Cisco bugs
    identified in the Vulnerable Products section of this advisory.

    When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page , to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    TAC or their contracted maintenance providers.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o On February 12, 2019, the runc maintainers publicly disclosed this
    vulnerability on the oss-sec mailing list. This announcement is at the
    following link: https://seclists.org/oss-sec/2019/q1/119 .

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Related to This Advisory

  o runc System File Descriptors Handling Privilege Escalation Vulnerability

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20190215-runc

Revision History

  o +---------+-----------------+-----------------+---------+------------------+
    | Version |   Description   |     Section     | Status  |       Date       |
    +---------+-----------------+-----------------+---------+------------------+
    |         |                 | Updated the     |         |                  |
    |         | Updated the     | lists of        |         |                  |
    |         | lists,          | products under  |         |                  |
    |         | vulnerable      | investigation,  |         |                  |
    | 1.6     | products, and   | vulnerable      | Final   | 2019-March-15    |
    |         | products        | products, and   |         |                  |
    |         | confirmed not   | products        |         |                  |
    |         | vulnerable.     | confirmed not   |         |                  |
    |         |                 | vulnerable.     |         |                  |
    +---------+-----------------+-----------------+---------+------------------+
    |         | Updated the     |                 |         |                  |
    |         | lists of        | Affected        |         |                  |
    |         | products under  | Products,       |         |                  |
    |         | investigation,  | Vulnerable      |         |                  |
    | 1.5     | vulnerable      | Products,       | Interim | 2019-March-08    |
    |         | products, and   | Products        |         |                  |
    |         | products        | Confirmed Not   |         |                  |
    |         | confirmed not   | Vulnerable      |         |                  |
    |         | vulnerable.     |                 |         |                  |
    +---------+-----------------+-----------------+---------+------------------+
    |         | Updated the     |                 |         |                  |
    |         | lists of        | Affected        |         |                  |
    |         | products under  | Products,       |         |                  |
    |         | investigation,  | Vulnerable      |         |                  |
    | 1.4     | vulnerable      | Products,       | Interim | 2019-February-26 |
    |         | products, and   | Products        |         |                  |
    |         | products        | Confirmed Not   |         |                  |
    |         | confirmed not   | Vulnerable      |         |                  |
    |         | vulnerable.     |                 |         |                  |
    +---------+-----------------+-----------------+---------+------------------+
    |         | Updated the     |                 |         |                  |
    |         | lists of        | Affected        |         |                  |
    |         | products under  | Products,       |         |                  |
    |         | investigation,  | Vulnerable      |         |                  |
    | 1.3     | vulnerable      | Products,       | Interim | 2019-February-21 |
    |         | products, and   | Products        |         |                  |
    |         | products        | Confirmed Not   |         |                  |
    |         | confirmed not   | Vulnerable      |         |                  |
    |         | vulnerable.     |                 |         |                  |
    +---------+-----------------+-----------------+---------+------------------+
    |         | Updated the     |                 |         |                  |
    |         | lists of        | Affected        |         |                  |
    |         | products under  | Products,       |         |                  |
    |         | investigation,  | Vulnerable      |         |                  |
    | 1.2     | vulnerable      | Products,       | Interim | 2019-February-20 |
    |         | products, and   | Products        |         |                  |
    |         | products        | Confirmed Not   |         |                  |
    |         | confirmed not   | Vulnerable      |         |                  |
    |         | vulnerable.     |                 |         |                  |
    +---------+-----------------+-----------------+---------+------------------+
    |         | Updated the     |                 |         |                  |
    |         | lists of        | Affected        |         |                  |
    |         | products under  | Products,       |         |                  |
    |         | investigation,  | Vulnerable      |         |                  |
    | 1.1     | vulnerable      | Products,       | Interim | 2019-February-18 |
    |         | products, and   | Products        |         |                  |
    |         | products        | Confirmed Not   |         |                  |
    |         | confirmed not   | Vulnerable      |         |                  |
    |         | vulnerable.     |                 |         |                  |
    +---------+-----------------+-----------------+---------+------------------+
    | 1.0     | Initial public  | -               | Interim | 2019-February-15 |
    |         | release.        |                 |         |                  |
    +---------+-----------------+-----------------+---------+------------------+

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXJG0A2aOgq3Tt24GAQjtCBAAkFs795OXsPGdz/ac6DiLZQbmwRsXzwcV
/2PKp4ceqWbhpcuppoQ2ribmqWJW/qGWcqETwBSOBQjXPTvaxDocWmKi3A41fWH3
iILW66dU5opsLZEf2KhdoQuWmwnxyES/Hvf7n5WttomSBPMeFKbAS8A+ca5agB4K
rHYBOPL087MOnVcopnq+NzteuL2j2F3OBF4Bx1+0rUeLrK8Dkk8zMW6xFVa2CknR
wqRCu5QgRvbTK8BQH01TqoEMWNNBgcDZ2IZjdMj0L7GHY2DsykaDiHEOSzvK5UK5
CP+FDnr8ck47HQFA+rG19xDLCeMaJREav5I7dia9OBeMBf8nytBu8SVM500YKc+9
VpHzXHahK27vXOhLQ+HGxyzZGZQWfxvE+k7+CvhgJ1z0QCcd3L599gLn9P/fklPh
BlUcifJfPXMLSESyzzgAOHfnWIO5q6G5jNykD1vtK860Sn9NOefxPkQJUHvIeNdm
M//wu45KqjxUbNQgB9E3cLyE6eeUuAsnfP09YPs6SRl7ZD87MxWATxZET4ymRCff
5EeZShWymEU6SKZ0OB4c7KDlr3eLbbGyset1Eg0pxSRl3Nybblaqf4P7hfCGp6Hu
qQmylNNU5zRaLvKFfJMSHvEJxRMuwkjhYkYEioT4f0Yv2IQ7j1WEYJ5l1JkCGa1B
U3W+mBiFgbQ=
=R0gf
-----END PGP SIGNATURE-----