Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Cisco Patches Critical Flaw in Smart Licensing Solution

Cisco has released patches for sixteen vulnerabilities across its products, including one rated critical, six high severity, and nine medium risk. 

Cisco has released patches for sixteen vulnerabilities across its products, including one rated critical, six high severity, and nine medium risk. 

The critical vulnerability impacts Cisco’s Smart Software Manager On-Prem licensing solution (previously known as Smart Software Manager satellite) and could allow a remote, unauthenticated attacker to access system data with high privileges.

Cisco explains that the issue is the result of a system account with a default and static password, but which is not under the control of the system administrator. 

An attacker could use the account to gain read and write access to system data, including the configuration of affected devices. However, they would not have full control of the device, the company explains. 

Tracked as CVE-2020-3158 and featuring a CVSS score of 9.8, the flaw impacts Cisco Smart Software Manager On-Prem releases earlier than 7-202001, but only if the High Availability (HA) feature is enabled. 

The first of the high severity bugs addressed this week impacts Unified Contact Center Express (Unified CCX) and could allow an attacker with valid administrative credentials to upload arbitrary files and execute commands on the underlying operating system (CVE-2019-1888). 

A high risk flaw (CVE-2019-1736) patched in UCS C-Series Rack Servers could allow an authenticated, physical attacker to bypass UEFI Secure Boot validation checks and load their own software image on an affected device.

The issue impacts Firepower Management Center (FMC) 1000, 2500, and 4500, Secure Network Server 3500 and 3600 Series Appliances, and Threat Grid 5504 Appliance, if they run a vulnerable BIOS version and a vulnerable Integrated Management Controller (IMC) firmware.

Advertisement. Scroll to continue reading.

Cisco also fixed a vulnerability (CVE-2019-1983) in the email message filtering feature of AsyncOS Software for Email Security Appliance (ESA) and Content Security Management Appliance (SMA) that could allow an unauthenticated, remote attacker to crash processes and cause denial of service (DoS). 

Another flaw in the AsyncOS Software for ESA (CVE-2019-1947) could be exploited remotely without authentication to increase CPU utilization to 100 percent, causing a denial of service (DoS) condition. 

The other two high severity bugs addressed this week impact the Cisco Data Center Network Manager (DCNM). The first of them is an elevation of privilege in the REST API endpoint (CVE-2020-3112), while the second is a cross-site request forgery (CSRF) bug in the web-based management interface (CVE-2020-3114). 

The medium risk flaws Cisco patched this week include a DoS bug in Unified Contact Center Enterprise, remote code execution in Enterprise NFV Infrastructure Software (NFVIS), Cross-Site Scripting (XSS) in Identity Services Engine, XSS in Finesse, DoS in AsyncOS Software for ESA, SQL injection in Cloud Web Security (CWS), DoS in Meeting Server, incorrect handling of directory paths in AnyConnect Secure Mobility Client for Windows, and XSS in Data Center Network Manager (DCNM).

Cisco says it is not aware of any malicious exploitation of these vulnerabilities. 

Specific information on each of these vulnerabilities can be found in the advisories Cisco published on its support website. 

Related: Cisco Discovery Protocol Flaws Expose Tens of Millions of Devices to Attacks

Related: Cisco Patches DoS, Information Disclosure Flaws in Small Business Switches

Related: Cisco DCNM Users Warned of Serious Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.