Cisco this week released security patches to address numerous vulnerabilities across its products, including critical severity flaws that impact IP Phones and UCS Director.
The critical vulnerability patched in IP Phones impacts the web server and could allow a remote, unauthenticated attacker to execute code with root privileges. The bug has a CVSS score of 9.8.
Tracked as CVE-2020-3161, the issue exists because input in HTTP requests is not properly validated. Thus, an attacker could exploit the flaw by sending a crafted HTTP request to the web server of a vulnerable device.
“In libHTTPService.so, the parameters after /deviceconfig/setActivationCode are used to create a new URI via a sprintf function call. The length of the parameter string is not checked. When an attacker provides a long parameter string then sprintf overflows the provided stack-based buffer,” Tenable, which reported the bug to Cisco, explains.
IP Phone 7811, 7821, 7841, and 7861 Desktop Phones; IP Phone 8811, 8841, 8845, 8851, 8861, and 8865 Desktop Phones; Unified IP Conference Phone 8831; and Wireless IP Phone 8821 and 8821-EX were found to be affected.
Software updates that Cisco released this week address the vulnerability. The company says that, while it is aware of the flaw being publicly disclosed (Tenable has published a DoS proof-of-concept), it is not aware of the bug being targeted in attacks.
A total of three critical vulnerabilities were addressed in Cisco UCS Director and UCS Director Express for Big Data, all three discovered in the REST API. The bugs may allow a remote, unauthenticated attacker to bypass authentication or conduct directory traversal attacks.
The flaws are tracked as CVE-2020-3239, CVE-2020-3240, and CVE-2020-3243, and exist due to insufficient access control validation and improper input validation. All three issues were addressed in UCS Director 220.127.116.11 and UCS Director Express for Big Data 18.104.22.168.
This week, Cisco also released patches for seven high severity vulnerabilities impacting Wireless LAN Controller (WLC) Software, Webex Network Recording Player and Webex Player, Mobility Express Software, IoT Field Network Director, Unified Communications Manager (UCM) and UCM Session Management Edition (SME), and Aironet Series Access Points Software.
Six of the bugs could be exploited by unauthenticated, remote attackers to cause denial of service (DoS), conduct a cross-site request forgery (CSRF) attack, or to conduct directory traversal attacks. The bug in Webex Player could lead to remote code execution.
Cisco has released free software updates to address all of these vulnerabilities and says it is not aware of any public announcements or malicious use of these bugs. Details on each vulnerability are available on Cisco’s support website.