Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Cisco Patches Critical Flaw in Smart Licensing Solution

Cisco has released patches for sixteen vulnerabilities across its products, including one rated critical, six high severity, and nine medium risk. 

Cisco has released patches for sixteen vulnerabilities across its products, including one rated critical, six high severity, and nine medium risk. 

The critical vulnerability impacts Cisco’s Smart Software Manager On-Prem licensing solution (previously known as Smart Software Manager satellite) and could allow a remote, unauthenticated attacker to access system data with high privileges.

Cisco explains that the issue is the result of a system account with a default and static password, but which is not under the control of the system administrator. 

An attacker could use the account to gain read and write access to system data, including the configuration of affected devices. However, they would not have full control of the device, the company explains. 

Tracked as CVE-2020-3158 and featuring a CVSS score of 9.8, the flaw impacts Cisco Smart Software Manager On-Prem releases earlier than 7-202001, but only if the High Availability (HA) feature is enabled. 

The first of the high severity bugs addressed this week impacts Unified Contact Center Express (Unified CCX) and could allow an attacker with valid administrative credentials to upload arbitrary files and execute commands on the underlying operating system (CVE-2019-1888). 

A high risk flaw (CVE-2019-1736) patched in UCS C-Series Rack Servers could allow an authenticated, physical attacker to bypass UEFI Secure Boot validation checks and load their own software image on an affected device.

The issue impacts Firepower Management Center (FMC) 1000, 2500, and 4500, Secure Network Server 3500 and 3600 Series Appliances, and Threat Grid 5504 Appliance, if they run a vulnerable BIOS version and a vulnerable Integrated Management Controller (IMC) firmware.

Advertisement. Scroll to continue reading.

Cisco also fixed a vulnerability (CVE-2019-1983) in the email message filtering feature of AsyncOS Software for Email Security Appliance (ESA) and Content Security Management Appliance (SMA) that could allow an unauthenticated, remote attacker to crash processes and cause denial of service (DoS). 

Another flaw in the AsyncOS Software for ESA (CVE-2019-1947) could be exploited remotely without authentication to increase CPU utilization to 100 percent, causing a denial of service (DoS) condition. 

The other two high severity bugs addressed this week impact the Cisco Data Center Network Manager (DCNM). The first of them is an elevation of privilege in the REST API endpoint (CVE-2020-3112), while the second is a cross-site request forgery (CSRF) bug in the web-based management interface (CVE-2020-3114). 

The medium risk flaws Cisco patched this week include a DoS bug in Unified Contact Center Enterprise, remote code execution in Enterprise NFV Infrastructure Software (NFVIS), Cross-Site Scripting (XSS) in Identity Services Engine, XSS in Finesse, DoS in AsyncOS Software for ESA, SQL injection in Cloud Web Security (CWS), DoS in Meeting Server, incorrect handling of directory paths in AnyConnect Secure Mobility Client for Windows, and XSS in Data Center Network Manager (DCNM).

Cisco says it is not aware of any malicious exploitation of these vulnerabilities. 

Specific information on each of these vulnerabilities can be found in the advisories Cisco published on its support website. 

Related: Cisco Discovery Protocol Flaws Expose Tens of Millions of Devices to Attacks

Related: Cisco Patches DoS, Information Disclosure Flaws in Small Business Switches

Related: Cisco DCNM Users Warned of Serious Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.