Cisco has rolled out security patches for fourteen different products. Advisories released for Cisco Webex Video Mesh and Cisco IOS and Cisco IOS XE Software are considered important. The most severe of these vulnerabilities could allow an attacker to remotely execute commands and take control of an affected system.
Cisco has released security updates for the following products:
- Cisco Webex Video Mesh
- Cisco IOS and Cisco IOS XE Software
- Cisco Webex Centers
- Cisco Vision Dynamic Signage Director
- Cisco UCS Director
- Cisco Mobility Management Entity
- Cisco Identity Services Engine
- Cisco IP Phone 6800, 7800, and 8800 Series
- Cisco Finesse
- Cisco Emergency Responder
- Cisco Data Center Analytics Framework
- Cisco Unified Customer Voice Portal
- Cisco Crosswork Change Automation
- Cisco AnyConnect Secure Mobility Client
High Severity Vulnerabilities
- CVE-2019-16005 : An arbitrary command execution vulnerability exists in the web-based management interface of Cisco Webex Video Mesh due to improper validation of user-supplied input by the web-based management interface. A remote authenticated attacker can execute arbitrary commands on the underlying Linux system with root privileges by sending crafted requests.
CVE-2019-16009 : A Cross-Site Request Forgery vulnerability exists in the web UI of Cisco IOS and Cisco IOS XE Software due to insufficient CSRF protections for the web UI. An attacker can trick a user to open a malicious link, which grants the attacker, the rights of the user. An attacker could use these privileges to perform arbitrary actions. The attacker could also alter the configuration, execute commands, or reload an affected device, if the targeted user had administrative privileges.
Medium Severity Vulnerabilities
Cisco’s fixes included twelve medium severity vulnerabilities, five of which could be exploited to launch cross-site scripting attacks. These vulnerabilities are :
An attacker could exploit these vulnerabilities to execute arbitrary commands with root privileges, conduct cross-site request forgery, denial of service, authentication and authorization bypass, information disclosure, cross-site scripting, service hijacking and insecure direct object reference attacks on vulnerable systems.
We recommend installing the necessary Cisco security updates as soon as possible to stay protected.