Cisco Industrial Network Director allows hackers to take control of your networks and shutdown them

Specialists in information security training have reported the discovery of a dangerous malware in Industrial Network Director (IND), a Cisco enterprise-level solution, which could be abused by remote threat actors to take control of the network and execute arbitrary code with administrator privileges.

IND was designed to help organizations’ operational staff gain complete visibility into network and automation devices, providing improved system availability and performance for the benefit of process optimization. 

The remote code execution vulnerability has been tracked as CVE-2019-1861. According to the information security training experts, this flaw resides in the IND software update feature and exists due to incorrect validation of the files uploaded to the application. Threat actors could exploit the flaw by authenticating to the affected system with administrator privileges to upload arbitrary files. It should be noted that the failure affects all versions of IND prior to 1.6.0. 

The company has already released security patches for this flaw. There are currently no known workarounds, so vulnerable deployment administrators are strongly encouraged to upgrade to the latest available version.

According to the report of the members of the information security training, the failure received a score of 7.2/10 on the scale of the Common Vulnerability Scoring System (CVSS), so it is considered a high severity error. 

In a later release, Cisco mentioned that the vulnerability exists due to insufficient controls for specific memory operations: “A hacker can send a specially designed XMPP protocol authentication request to attack the affected system,” the company says. In addition, Cisco added that successfully exploiting the flaw would allow hackers to force the restart of the authentication service from the affected system, so some users would not be able to log in.

On the other hand, the Cisco Product Security Incident Response Team (PSIRT) ensures that no cases of active exploitation of this vulnerability have been detected so far, although the possibility has not been ruled out, the Institute mentions the International Institute of Cyber Security (IICS).