Cisco Systems released patches for 29 bugs that addressed defects in a variety of its products together with routers and switches operating the IOS XE networking software. Thirteen of the vulnerabilities revealed are rated high severity.
The majority of the high-severity vulnerabilities are tied to situations that would result in denial-of-service attacks, while others are command injection bugs (CVE-2019-12650 and CVE-2019-12651) and one digital signature verification bypass flaw (CVE-2019-12649).
One of many bugs (CVE-2019-12648) impacts Cisco 800 and 1000 series routers running Cisco’s IOS software with “Guest OS” installed. “An exploit might allow the attacker to achieve unauthorized access to the Guest OS as a root user,” the advisory states.
The bug (CVE-2019-12648) has a Widespread Vulnerability Scoring System (model 3) rating of 9.9. The rating ought to point out an essential-severity score; nonetheless, it’s unclear why a 9.9 bug would solely get an excessive-severity score.
One other ISO XE bug (CVE-2019-12653), affecting Cisco’s ASR 900 series routers, “may allow an unauthenticated, remote attacker or hacker to trigger a reload of an affected device, leading to a denial of service condition,” Cisco wrote.
Part of Wednesday’s security alerts also included a warning to users of its L2 traceroute function in IOS. Cisco is advising these customers to disable an L2 traceroute function in IOS for which there’s public exploit code. The L2 traceroute function is enabled by default in Cisco IOS and IOS XE Software for Cisco Catalyst switches, Cisco wrote.
Patches launched on Wednesday dovetail two bugs, rated vital, addressed last week impacting the networking giant’s Cisco Data Center Network Manager. One those flaws (CVE-2019-1619) is an authentication bypass bug with a CVSS score of 9.8.
“A vulnerability into the web-based management interface of Cisco Data Center Network Manager may allow an unauthenticated, remote attacker or hacker to bypass authentication and perform arbitrary actions with administrative privileges on an affected system,” Cisco wrote.
The opposite vital bug (CVE-2019-1620) impacting the DCNM is an arbitrary file add and distant code execution vulnerability with a CVSS rating of 9.8. Cisco stated successful exploitation of the bug “may allow an unauthenticated, remote attacker to upload arbitrary files on an affected device.”