Cisco is warning admins running it Cisco Small Business 220 Series Smart Switches to apply updates that address two dangerous flaws in device’s web management interface.
It has also flagged five high severity flaws affecting Webex and its enterprise networking software.
One of the critical flaws affecting its small business switches is because the software doesn’t sufficiently validate data input into the web interface or do adequate checks when reading data into an internal buffer.
The flaw is fixed in the 220 Series Smart Switches firmware releases 18.104.22.168 and later, but releases prior to that could allow a remote attacker to send malicious HTTP or HTTPS requests to the interface, which allow them to run malware with root privileges on the device’s operating system.
The second vulnerability also affects releases prior to 22.214.171.124 and is because of “incomplete authorisation checks” in the device’s web interface, and could allow a remote attacker to send malicious requests and upload files in order to change the device’s configuration or implant a reverse shell that allows the target device to communicate to an attacker’s machine. The two flaws are tagged as CVE-2019-1912 and CVE-2019-1913.
Both flaws were reported by a researcher called "bashis" through the VDOO Disclosure Program.
Cisco earlier this year warned customers of its RV-line of SMB appliances that potential attackers were scanning for devices with recently disclosed critical vulnerabilities, highlighting that attackers are on the look out for exploitable flaws in Cisco's popular equipment.
Cisco’s Webex network recording player for Windows and player for Windows also have a high-severity flaw that could allow an attacker to run malicious code on an affected Windows system.
The bugs are caused by Webex not properly validating custom file formats for the software, which could be exploited with specially crafted files downloaded to system from a web link or in an email attachment.
“A successful exploit could allow the attacker to execute arbitrary code on the affected system with the privileges of the targeted user,” Cisco warns.
Cisco has fixes available for Webex Business Suite Sites, Webex Meetings Online, and Webex Meetings Server.
Another high-severity issue was found by Cisco in its Enterprise NFV Infrastructure Software’s implementation of the Virtual Network Computing (VNC) console because its authentication mechanism wasn’t working as intended.
The company also highlighted two high-severity flaws affecting its IOS XR networking operating system due to its implementation of the Intermediate System–to–Intermediate System (IS-IS) routing protocol. Both of the flaws could be used to create a denial of service on a device.
The final high severity flaw in this round of disclosures affected Cisco’s Adaptive Security Appliance (ASA) software. A remote attacker who had logged in to an affected device could to elevate privileges and execute administrative functions on it.
The remaining flaws were all rated as medium severity, details of which can be found on Cisco’s advisory and alerts page.