A new set of vulnerabilities were identified and fixed by Cisco, the most critical of which could allow a remote attacker to take control of the system. Likewise, security updates are now available for Cisco’s products which include eight advisories rated high in severity and seven rated medium. One of the high severity bugs allow an unauthenticated attacker to remotely execute code with root privileges.
The Cisco security updates for November2019 have addressed vulnerabilities in the following products:
- Cisco Small Business Routers
- Cisco Web Security Appliance (WSA)
- Cisco Wireless LAN Controller
- Cisco Webex Network Recording Player
- Cisco TelePresence Collaboration Endpoint (CE), Cisco TelePresence Codec (TC), and Cisco RoomOS
- Cisco Prime Infrastructure (PI) and Cisco Evolved Programmable Network Manager (EPNM)
- Cisco Web Security Appliance
- Cisco Webex Meetings
- Cisco Managed Services Accelerator (MSX)
- Cisco Industrial Network Director (IND)
High Severity Vulnerabilities
- CVE-2019-15271 – An arbitrary code execution vulnerability exists in the web-based management interface of certain Cisco Small Business RV Series Routers. The flaw is due to a lack of input validation of the HTTP payload which could be exploited by sending a malicious HTTP request to the web-based management interface of the targeted device to achieve arbitrary command execution with root privileges. An attacker needs to have valid credentials or an active session token for exploitation.
- CVE-2019-15956 – A command injection vulnerability exists in the web-based management interface of certain Cisco Small Business RV Series Routers. The flaw is due to insufficient validation of user-supplied input which could be exploited by providing malicious input to a specific field in the web-based management interface to achieve execution of arbitrary commands on the underlying Linux operating system as the root user. An attacker needs to have valid credentials or an active session token for exploitation.
- CVE-2019-15283, CVE-2019-15284 and CVE-2019-15285 – Multiple arbitrary code execution vulnerabilities exist in Cisco Webex Network Recording Player and Cisco Webex Player for Microsoft Windows. The flaws exist due to insufficient validation of certain elements with a Webex recording stored in either the Advanced Recording Format (ARF) or the Webex Recording Format (WRF) which could be exploited by tricking a user to open an attachment or a link containing a malicious ARF or WRF file with the affected software. This allows an attacker to execute arbitrary code on the affected system with the privileges of the targeted user.
- CVE-2019-15958 – An arbitrary code execution vulnerability exists in the REST API of Cisco Prime Infrastructure (PI) and Cisco Evolved Programmable Network Manager (EPNM). The flaw is due to the insufficient input validation during the initial High Availability (HA) configuration and registration process of an affected device which could be exploited by uploading a malicious file during the HA registration period to to execute arbitrary code with root-level privileges on the target system.
- CVE-2019-15288 – A privilege escalation vulnerability exists in the CLI of Cisco TelePresence Collaboration Endpoint (CE), Cisco TelePresence Codec (TC), and Cisco RoomOS Software. The flaw is due to insufficient input validation and can be exploited by including specific arguments when opening an SSH connection to an affected device to gain unrestricted user access to the restricted shell of an affected device.
- CVE-2019-15276 – A denial of service vulnerability exists in the web interface of Cisco Wireless LAN Controller Software . The flaw exists due to a failure of the HTTP parsing engine to handle specially crafted URLs. This can be exploited by sending a crafted URL to the web interface with low privileges. An unauthenticated user can exploit the same vulnerability to cause denial of service by tricking a user to click on a crafted URL.
- CVE-2019-15289 – Multiple vulnerabilities were identified in the video service of Cisco TelePresence Collaboration Endpoint (CE) and Cisco RoomOS Software. These flaws are due to insufficient input validation which could be exploited by sending crafted data to video service of an affected endpoint. Successful exploitation allows an attacker to crash the video service causing a denial of service condition.
- CVE-2019-15956 – An unauthorized device reset vulnerability exists in the web management interface of Cisco AsyncOS Software for Cisco Web Security Appliance (WSA). The flaw is due to improper authorization control for a specific URL in the web management interface. An authenticated attacker could exploit the vulnerability by sending crafted HTTP requests to an affected device to change the administrator password and gain privileged access or reset the network configuration details to cause denial of service.
Seven medium severity vulnerabilities were fixed by Cisco. The vulnerabilities are tracked as CVE-2019-15969, CVE-2019-15960, CVE-2019-15967, CVE-2019-15959, CVE-2019-15974, CVE-2019-15973 and CVE-2019-15270 and allow an attacker to conduct cross site scripting and eavesdropping attacks, execute code and scripts, escalate privileges, and redirect users to a malicious page. CVE-2019-15974 and CVE-2019-15969 allow unauthenticated attackers to conduct phishing and cross-site scripting attacks.
These vulnerabilities allow an attacker to execute arbitrary code and commands, conduct denial of service, open redirection, eavesdropping, and cross-site scripting attacks and also elevate privileges.
Cisco has released security updates to address these vulnerabilities. We strongly recommend all the users to install the necessary updates as soon as possible to stay protected.