Cisco has released security updates to address high severity vulnerabilities for twelve different Cisco products. Exploit on some of these vulnerabilities allow an unauthenticated attacker to execute code with root privileges remotely.
The Cisco security updates have addressed vulnerabilities in the following products
- Cisco Small Business RV Series Routers
- Cisco Firepower Threat Defense (FTD)
- Cisco Prime Collaboration Provisioning
- Cisco Prime Service Catalog Virtual Appliance
- Cisco Smart Software Manager On-Prem
- Cisco Nexus 3000 Series Switches
- Cisco Nexus 9000 Series Switches in standalone NX-OS mode
- Cisco Paging Server (InformaCast)
- Cisco Ultra Cloud
- Cisco IOS XR Software
- 8000 Series Routers
- NCS 540 Series Routers that are running the NCS540L images
High Severity Vulnerabilities
CVE-2021-1289, CVE-2021-1290, CVE-2021-1291, CVE-2021-1292, CVE-2021-1293, CVE-2021-1294, CVE-2021-1295 – Vulnerabilities found in the web-based management interface of Cisco Small Business Routers including RV160, RV160W, RV260, RV260P, and RV260W allows an unauthenticated, remote attacker to execute arbitrary code with root privileges on the device affected. These vulnerabilities arise due to improper validation of HTTP requests. The vulnerability can be exploited by sending a crafted HTTP request to the web-based management interface of an affected device.
CVE-2021-3156 – Vulnerability present in the command line parameter parsing code of Sudo allows an authenticated, local attacker to execute commands or binaries with root privileges. Improper parsing of command-line parameters that may result in a heap-based buffer overflow is the reason for vulnerability. Upon successful exploit, this attacker can access a Unix shell on an affected device and then invoke the sudoedit command with crafted parameters or by executing a binary exploit.
CVE-2021-1268 – This vulnerability present in the IPv6 protocol handling of the management interfaces of Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to cause an IPv6 flood on the management interface network of an affected device. The software incorrectly forwards IPv6 packets that have an IPv6 node-local multicast group address destination and are received on the management interfaces. A successful exploit will result in an IPv6 flood on the victim’s network.
CVE-2021-1296, CVE-2021-1297 – Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers could allow an unauthenticated attacker to perform directory traversal attacks and overwrite certain restricted files remotely. Insufficient input validation is the cause of the vulnerabilities.
CVE-2021-1319, CVE-2021-1320, CVE-2021-1321, CVE-2021-1322, CVE-2021-1323, CVE-2021-1324, CVE-2021-1325, CVE-2021-1326, CVE-2021-1327, CVE-2021-1328, CVE-2021-1329, CVE-2021-1330, CVE-2021-1331, CVE-2021-1332, CVE-2021-1333, CVE-2021-1334, CVE-2021-1335, CVE-2021-1336, CVE-2021-1337, CVE-2021-1338, CVE-2021-1339, CVE-2021-1340, CVE-2021-1341, CVE-2021-1342, CVE-2021-1343, CVE-2021-1344, CVE-2021-1345, CVE-2021-1346, CVE-2021-1347, CVE-2021-1348 – Multiple vulnerabilities present in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly. These vulnerabilities are due to improper validation of user-supplied input in the web-based management interface. These vulnerabilities could be exploited by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code on the operating system with the root user privileges. The attacker can also cause the device to reload to result in denial of service (DoS) attacks.
CVE-2021-1314, CVE-2021-1315, CVE-2021-1316, CVE-2021-1317, CVE-2021-1318 – Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code with root privileges on the underlying operating system. These vulnerabilities are due to improper validation of user-supplied input in the web-based management interface. Exploitation is possible only if the attacker has valid admin credentials of the device affected.
CVE-2021-1136, CVE-2021-1244 – The vulnerability in the GRUB boot loader of Cisco NCS 540 Series Routers, only when running Cisco IOS XR NCS540L software images, and Cisco IOS XR Software for the Cisco 8000 Series Routers could allow an authenticated, local attacker to execute unsigned code during the boot process on an affected device. The vulnerability arises due to an unlocked version of the GRUB boot loader on an affected device. A successful exploit allows the attacker to bypass the boot chain of trust.
CVE-2021-1370 – A vulnerability present in the CLI command of Cisco IOS XR Software for the Cisco 8000 Series Routers and Network Convergence System 540 Series Routers running NCS540L software images could allow an authenticated, local attacker with low-level privileges to escalate their privilege level to root. To exploit this vulnerability, an attacker would need to have a valid account on an affected device. Insufficient validation of command-line arguments is the reason for the vulnerability.
CVE-2021-1288 – The vulnerability present in the ingress packet processing function of Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause a DoS condition on the affected devices. The vulnerability arises due to a logic error that occurs when an affected device processes Telnet protocol packets.
CVE-2021-1313 – The vulnerability present in the ingress packet processing function of Cisco IOS XR Software could be exploited by sending specific streams of packets to the affected device. A successful exploit will allow the attacker to cause the enf_broker process to leak the memory of the system. This system memory leak, over time, could cause the enf_broker process to crash, leading to system instability and the inability to process or forward traffic through the affected device.
Medium Severity Vulnerabilities
Cisco’s fixes included 14 medium severity vulnerabilities:
CVE-2021-1221, CVE-2021-1354, CVE-2021-1243, CVE-2021-1266, CVE-2021-1389, CVE-2021-1128, CVE-2021-1303,CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25684, CVE-2020-25685, CVE-2020-25686, CVE-2020-25687
These vulnerabilities allow an attacker to execute arbitrary codes and commands with root privileges, network flooding, denial of services, privilege escalation to root, and directory traversal attacks on the vulnerable systems.
SecPod recommends the users install the necessary Cisco security updates at the latest.