Virtual Event Now Live: Zero Trust Strategies Summit! - Login for Access
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Cisco Patches High-Severity Vulnerabilities in IOS Software

Cisco has released patches for seven high-severity vulnerabilities affecting products running IOS and IOS XE software.

Cisco on Wednesday announced patches for 11 vulnerabilities as part of its semiannual IOS and IOS XE security advisory bundle publication, including seven high-severity flaws.

The most severe of the high-severity bugs are six denial-of-service (DoS) issues impacting the UTD component, RSVP feature, PIM feature, DHCP Snooping feature, HTTP Server feature, and IPv4 fragmentation reassembly code of IOS and IOS XE.

According to Cisco, all six vulnerabilities can be exploited remotely, without authentication by sending crafted traffic or packets to an affected device.

Impacting the web-based management interface of IOS XE, the seventh high-severity flaw would lead to cross-site request forgery (CSRF) attacks if an unauthenticated, remote attacker convinces an authenticated user to follow a crafted link.

Cisco’s semiannual IOS and IOS XE bundled advisory also details four medium-severity security defects that could lead to CSRF attacks, protection bypasses, and DoS conditions.

The tech giant says it is not aware of any of these vulnerabilities being exploited in the wild. Additional information can be found in Cisco’s security advisory bundled publication.

On Wednesday, the company also announced patches for two high-severity bugs impacting the SSH server of Catalyst Center, tracked as CVE-2024-20350, and the JSON-RPC API feature of Crosswork Network Services Orchestrator (NSO) and ConfD, tracked as CVE-2024-20381.

In case of CVE-2024-20350, a static SSH host key could allow an unauthenticated, remote attacker to mount a machine-in-the-middle attack and intercept traffic between SSH clients and a Catalyst Center appliance, and to impersonate a vulnerable appliance to inject commands and steal user credentials.

Advertisement. Scroll to continue reading.

As for CVE-2024-20381, improper authorization checks on the JSON-RPC API could allow a remote, authenticated attacker to send malicious requests and create a new account or elevate their privileges on the affected application or device.

Cisco also warns that CVE-2024-20381 affects multiple products, including the RV340 Dual WAN Gigabit VPN routers, which have been discontinued and will not receive a patch. Although the company is not aware of the bug being exploited, users are advised to migrate to a supported product.

The tech giant also released patches for medium-severity flaws in Catalyst SD-WAN Manager, Unified Threat Defense (UTD) Snort Intrusion Prevention System (IPS) Engine for IOS XE, and SD-WAN vEdge software.

Users are advised to apply the available security updates as soon as possible. Additional information can be found on Cisco’s security advisories page.

Related: Cisco Patches High-Severity Vulnerabilities in Network Operating System

Related: Cisco Says PoC Exploit Available for Newly Patched IMC Vulnerability

Related: Cisco Announces It is Laying Off Thousands of Workers

Related: Cisco Patches Critical Flaw in Smart Licensing Solution

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

Omkhar Arasaratnam, former GM at OpenSSF, is LinkedIn's first Distinguised Security Engineer

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.