The networking behemoth released 27 patches affecting a broad range of its products running the ISO XE software.

UDPATE

On Wednesday, Cisco Systems released 24 patches due to weaknesses in its IOS XE operating system and cautioned customers against a possible attack on another two small business routers. The networking giant rated 19 of the bugs as high severity, while the others were graded as medium.

Rated high, the two router weaknesses are part of Cisco’s Dual Gigabit WAN VPN RV320 and RV325 line of small business routers. Although both router defects were first fixed in January, Cisco said Wednesday that both patches were “incomplete” and that both routers were still open to attack. It added there are no ways that could address either susceptibility.

Cisco said that one of the router faults, CVE-2019-1652, is a command injection weakness owing to unsuitable validation of user-supplied input. The virus could allow a genuine, distant attacker with administrative rights on an affected device to perform arbitrary commands.

The second router virus, CVE-2019-1653, is an information revelation susceptibility also affecting Cisco Small Business RV320 and RV325 routers. Cisco said that a weakness in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow a fake, distant attacker to recover sensitive information.

One bug, CVE-2019-1745, is a Cisco IOS XE software command injection weakness. Any local adversary, according to Cisco, could take advantage of the vulnerability, injecting random commands into the OS that are performed with raised privileges.

Cisco said that the vulnerability is because of inadequate input authentication of commands provided by the user, adding that an adversary could exploit this susceptibility by validating to a device and submitting constructed input to the affected commands.

The two command injection patches (CVE-2019-1756CVE-2019-1755) allow a distant genuine invader to perform commands on devices running the susceptible Cisco IOS XE software.

Cisco said that the vulnerability occurs because the affected software inadequately sanitizes user-supplied input, adding that an attacker who has valid administrator access to an affected device could exploit this susceptibility by supplying a username with a malevolent payload in the web UI and then making a request to a particular endpoint in the web UI.

Related articles

ColdFusion Flaw Exploited and Fixed By Adobe
Vulnerability Alerts

ColdFusion Flaw Exploited and Fixed By Adobe

By CertX
Cybercriminals Exploit Zoom App Bug to Steal Your Windows Password
Vulnerability Alerts

Cybercriminals Exploit Zoom App Bug to Steal Your Windows Password

By CertX
Security researcher finds Windows 7 and Windows Server 2008 zero-day by chance
Vulnerability Alerts

Security researcher finds Windows 7 and Windows Server 2008 zero-day by chance

By CertX
Vulnerability Alerts

Install Oracle Fixes Quickly To Avoid Bugs Threats

By CertX
New public exploit code released for Windows zero-day with bad patch
Security Updates / Vulnerability Alerts

New public exploit code released for Windows zero-day with bad patch

By CertX

Leave a Reply

Your email address will not be published. Required fields are marked *