Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Cisco Patches Critical Flaw in ASR 9000 Routers

Cisco on Wednesday released patches for 30 vulnerabilities, including a critical bug impacting ASR 9000 Series Aggregation Services Routers running IOS XR 64-bit software.

Cisco on Wednesday released patches for 30 vulnerabilities, including a critical bug impacting ASR 9000 Series Aggregation Services Routers running IOS XR 64-bit software.

Tracked as CVE-2019-1710 and featuring a CVSS score of 9.8, the vulnerability could allow an unauthenticated, remote attacker to access internal applications running on the sysadmin virtual machine (VM).

The issue resides in the incorrect isolation of the secondary management interface from internal sysadmin applications. Thus, only ASR 9000 routers that have the secondary management interface (physically MGT LAN 1 on the route switch processor (RSP)) connected and configured are affected.

“An attacker could exploit this vulnerability by connecting to one of the listening internal applications. A successful exploit could result in unstable conditions, including both a denial of service and remote unauthenticated access to the device,” Cisco notes in an advisory.

Customers are advised to install the updated software to address the issue. A workaround exists, but the company claims it is equivalent to upgrading to the patched software.

Cisco IOS XR 64-bit software releases 6.5.3 and 7.0.1, which edit the calvados_boostrap.cfg file and reload the device, addresses the vulnerability.

Also on Wednesday, Cisco released fixes for 6 high-severity bugs in Inter-Access Point Protocol (IAPP) messages by Wireless LAN Controller (WLC) software, and in the administrative GUI configuration and the web-based management interface of WLC software, as well as in the phone book feature of Expressway Series and TelePresence Video Communication Server (VCS), and the development shell authentication for Aironet Series Access Points running the AP-COS operating system.

A total of 23 medium-severity flaws were addressed as well, impacting WLC software, the URL block page of Cisco Umbrella, UCS B-Series Blade Servers, Unified Communications Manager (Unified CM), DNA Center, Registered Envelope Service, Prime Network Registrar, Identity Services Engine (ISE), ASR 9000 routers, IOS XR Software, Expressway Series and TelePresence VCS, Email Security Appliance (ESA), Firepower Management Center (FMC), Directory Connector, and Aironet Series Access Points.

Advertisement. Scroll to continue reading.

Cisco also updated two previously released advisories to update information about public exploitation. The first refers to CVE-2017-3881, a critical vulnerability the U.S. Central Intelligence Agency (CIA) is believed to have abused to target Cisco routers, while the second refers to CVE-2017-6736, CVE-2017-6737, and CVE-2017-6738, three high-severity bugs initially addressed in June 2017.

Information on the addressed vulnerabilities, including their CVEs and CVSS scores, can be found on Cisco’s security center portal.

Related: Cisco Patches Router Vulnerabilities Targeted in Attacks

Related: Default Account in Cisco CSPC Allows Unauthorized Access

Related: Cisco Patches Critical Vulnerability in Wireless Routers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.