Cisco informed customers on Wednesday that it has released patches for several medium and high severity vulnerabilities affecting its Prime Network Analysis Module products.
Cisco’s Network Analysis Module (NAM) products are part of the company’s cloud and system management offering. They enable administrators to optimize network resources and improve the delivery of applications and services.
The product has been found to be plagued by two vulnerabilities that have been rated “high severity.” One of them, tracked as CVE-2016-1370, allows a remote, unauthenticated attacker to cause a denial-of-service (DoS) condition by sending specially crafted IPv6 packets on the network where the NAM is monitoring traffic.
Another high severity issue, tracked as CVE-2016-1388, affects the product’s web interface. An attacker can exploit the flaw to remotely execute arbitrary commands on the underlying operating system via specially crafted HTTP requests. This vulnerability has been found to affect both physical and virtual modules (vNAM).
Cisco’s NAM and vNAM products are also plagued by two medium severity issues. One of them is a command injection vulnerability (CVE-2016-1390) that allows a local, authenticated attacker to execute arbitrary commands on the host operating system. An attacker could manage to execute commands with root privileges by submitting specially crafted input.
The second medium severity issue affects the web interface and allows a remote attacker to execute arbitrary commands or code by sending specially crafted HTTP requests to the targeted system. The vulnerability, identified as CVE-2016-1391, can only be exploited by an authenticated attacker.
Cisco addressed the flaws with the release of patches and security updates that can be downloaded from the Software Center on the company’s website.
The DoS vulnerability was identified by Cisco during internal quality assurance security testing, while the other issues were reported to the company by Daniel Jensen from Security-Assessment.com.
Related: Cisco Releases Critical Security Updates
Related: Cisco Patches Severe Flaws in Wireless LAN Controller
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- ICS Cybersecurity Firm Opscura Launches With $9.4 Million in Series A Funding
- Patch Released for Actively Exploited GoAnywhere MFT Zero-Day
- VMware Says No Evidence of Zero-Day Exploitation in ESXiArgs Ransomware Attacks
- Critical Baicells Device Vulnerability Can Expose Telecoms Networks to Snooping
- SecurityWeek Analysis: Over 450 Cybersecurity M&A Deals Announced in 2022
- VMware ESXi Servers Targeted in Ransomware Attack via Old Vulnerability
- High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation
- GoAnywhere MFT Users Warned of Zero-Day Exploit
Latest News
- Patient Information Compromised in Data Breach at San Diego Healthcare Provider
- Germany Appoints Central Bank IT Chief to Head Cybersecurity
- OpenSSL Ships Patch for High-Severity Flaws
- Software Supply Chain Security Firm Lineaje Raises $7 Million
- ICS Cybersecurity Firm Opscura Launches With $9.4 Million in Series A Funding
- Vulnerability Provided Access to Toyota Supplier Management Network
- Patch Released for Actively Exploited GoAnywhere MFT Zero-Day
- Linux Variant of Cl0p Ransomware Emerges
