Cisco: Security vulnerabilities in numerous products

Cisco published 15 new security announcements on Thursday night. They cover a whole range of products. These include one security vulnerability that is considered a critical risk and two that are considered high-risk. IT managers should check whether they are using vulnerable devices and apply the available updates promptly.

There is a vulnerability in the Cisco Unified Industrial Wireless Software (CVE-2024-20418), which represents the highest possible risk,"critical", with a CVSS rating of 10 out of 10 possible points. It is found in the web-based management interface of Cisco Ultra-Reliable Wireless Backhaul (URWB) access points. Unauthenticated attackers from the network can use it to infiltrate commands that are executed with root rights in the operating system. Sending manipulated HTTP requests to the management interface is sufficient for this. Updates are available for the affected Catalyst IW9165D Heavy Duty Access Points, Catalyst IW9165E Rugged Access Points and Wireless Clients and Catalyst IW9167E Heavy Duty Access Points to seal the security leak.

High-risk Cisco vulnerabilities

In Cisco's Nexus Dashboard Fabric Controller, logged-in network attackers with read-only privileges can also exploit an SQL injection vulnerability in a REST API endpoint and in the web-based management interface to abuse arbitrary SQL commands on vulnerable devices. This allows them to read, modify or delete arbitrary data from an internal database, which can have an "impact on the availability" of attacked devices (CVE-2024-20536, CVSS 8.8, high).

Cisco's developers also consider a denial-of-service vulnerability in Cisco's Enterprise Chat and Email to be a high risk. Unauthenticated malicious actors from the network can provoke the vulnerability in the External Agent Assignment Service (EAAS) function by sending specially crafted Media Routing Peripheral Interface Manager (MR PIM) traffic to vulnerable devices (CVE-2024-20484, CVSS 7.5, high).

The remaining notifications concern vulnerabilities that Cisco classifies as medium threat level. The individual security notifications from Cisco are listed in descending order of risk:

Cisco Unified Industrial Wireless Software for Ultra-Reliable Wireless Backhaul Access Point Command Injection Vulnerability, CVSS 10.0, Risk"Critical"
Cisco Nexus Dashboard Fabric Controller SQL Injection Vulnerability, CVSS 8.8, high
Cisco Enterprise Chat and Email Denial of Service Vulnerability, CVSS 7.5, high
Cisco Identity Services Engine Authorization Bypass and Cross-Site Scripting Vulnerabilities, CVSS 6.5, medium
Cisco Unified Communications Manager IM & Presence Service Information Disclosure Vulnerability, CVSS 6.5, medium
Cisco Identity Services Engine Vulnerabilities, CVSS 6.1, medium
Cisco Unified Communications Manager Cross-Site Scripting Vulnerability, CVSS 6.1, medium
Cisco Secure Email and Web Manager, Secure Email Gateway, and Secure Web Appliance Stored Cross-Site Scripting Vulnerability, CVSS 5.4, medium
Cisco Evolved Programmable Network Manager and Cisco Prime Infrastructure Stored Cross-Site Scripting Vulnerability, CVSS 5.4, medium
Cisco Unified Contact Center Management Portal Stored Cross-Site Scripting Vulnerability, CVSS 5.4, medium
Cisco Nexus 3550-F Switches Access Control List Programming Vulnerability, CVSS 5.3, medium
Cisco 7800, 8800, and 9800 Series Phones Information Disclosure Vulnerability, CVSS 5.3, medium
Cisco 6800, 7800, 8800, and 9800 Series Phones with Multiplatform Firmware Stored Cross-Site Scripting Vulnerabilities, CVSS 4.8, medium
Cisco Meeting Management Information Disclosure Vulnerability, CVSS 4.3, medium
Cisco Identity Services Engine Vulnerabilities, CVSS 4.3, medium

Around a week ago, Cisco made brute force protection on VPN log-ins available for further ASA and FTD appliances. These are intended to slow down password spraying and brute force attacks against VPN servers that have been observed more frequently since April.

(dmk)