This week, Cisco released several security advisories regarding various bug fixes. It also patched two critical flaws and recommended workarounds for a third one. However, one of these advisories looked somewhat distinct, as it did not inform of any vulnerability or patch. Rather, it addressed a QA failure. As revealed, Cisco mistakenly leaked an in-house Dirty COW exploit code in two of its software.
Cisco’s QA Blunder Leaked Dirty COW Exploit Code
As explained in Cisco’s advisory released this week, the vendors accidentally leaked a Dirty COW exploit code in their software. The firm confesses an internal quality assurance failure that resulted in the accidental release of the exploit code used in-house for validation purposes.
According to the advisory,
A failure in the final QA validation step of the automated software build system for the Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) software inadvertently allowed a set of sample, dormant exploit code used internally by Cisco in validation scripts to be included in shipping software images. This includes an exploit for the Dirty CoW vulnerability (CVE-2016-5195).
Cisco found this issue during an internal security testing after which it publicly disclosed the matter. The issue seemingly affected the recent versions of the affected software.
This issue affects Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) image versions X8.9 through X8.11.3. Versions prior to X8.9 are not affected by this issue.
Cisco Confirms No Security Risks
Dirty COW vulnerability (CVE-2016-5195) was a privilege escalation flaw primarily affecting Linux Kernel’s copy-on-write (COW) feature. However, in 2017, it was found to be impacting Androids too.
In any case, the problem discussed here does not pose any significant security threats to the users owing to the dormancy of the code. Besides, Cisco confirms that the software carrying the exploit codes also carry the patches.
Moreover, Cisco has also removed the images carrying the exploit codes from the Cisco Software Center. It also assures that it plans to replace them with ‘fixed software images’ soon.