Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Cisco Fixes Severe Flaws in WebEx, Small Business Products

Cisco informed customers on Wednesday that it has released software and firmware updates for some of its products in an effort to address several vulnerabilities rated as having critical, high and medium severity.

Cisco informed customers on Wednesday that it has released software and firmware updates for some of its products in an effort to address several vulnerabilities rated as having critical, high and medium severity.

Francis Provencher, security researcher and founder of the Canadian government agency COSIG, has been credited by Cisco for identifying two vulnerabilities in WebEx Meetings Player.

The more serious of the flaws, rated critical, is CVE-2016-1464, which allows an unauthenticated attacker to remotely execute arbitrary code by convincing a user to open a specially crafted file with the vulnerable software.

Another vulnerability found by the researcher, classified as having medium severity, allows an unauthenticated attacker to remotely crash the WebEx Meetings Player by getting the victim to open a malicious file.

Both vulnerabilities found by Provencher affect Cisco WebEx Meetings Player version T29.10 for WRF files. Cisco has released updates to address the bugs, but no workarounds are available.

Cisco has also published advisories describing five different vulnerabilities affecting Small Business series switches and IP phones. Four of the issues were reported to the vendor by Nicolas Collignon and Renaud Dubourguais of Synacktiv, and one by security researcher Chris Watts.

The experts discovered that Cisco Small Business 220 Series Smart Plus (Sx220) switches are plagued by a flaw that allows a remote, unauthenticated attacker to gain access to Simple Network Management Protocol (SNMP) objects on vulnerable devices. The security hole, classified as “critical” and tracked as CVE-2016-1473, is caused by the existence of a default SNMP community string that cannot be removed.

A different advisory details a high severity denial-of-service (DoS) vulnerability affecting Small Business IP phones, namely the SPA300, SPA500 and SPA51x models. Due to incorrect handling of malformed HTTP traffic, the phones can enter a DoS condition if a remote attacker sends them specially crafted requests. This issue has been assigned the CVE-2016-1469 identifier.

Advertisement. Scroll to continue reading.

Cisco has also released patches for three medium severity cross-site request forgery (CSRF), cross-site scripting (XSS) and DoS vulnerabilities affecting Small Business 220 Series Smart Plus (Sx220) switches.

The company recently issued updates for its Adaptive Security Appliance (ASA) software to address a serious remote code execution vulnerability leveraged by a zero-day exploit. The existence of the exploit came to light after a threat actor leaked firewall exploits and implants allegedly stolen from an NSA-linked group.

Related: Cisco Patches Critical Flaws in Firepower Management Center

Related: No Patch for Critical RCE Flaw in Cisco Routers

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

A zero-day vulnerability named HTTP/2 Rapid Reset has been exploited to launch some of the largest DDoS attacks in history.