Virtual Event Now Live: Zero Trust Strategies Summit! - Login for Access
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Cisco Patches High-Severity Vulnerabilities in Network Operating System

Cisco has announced security updates that patch eight vulnerabilities in IOS XR software, including six high-severity bugs.

Cisco on Wednesday announced patches for eight vulnerabilities in the IOS XR network operating system, including fixes for six high-severity bugs.

The most severe of the flaws is CVE-2024-20398 (CVSS score of 8.8), an insufficient validation of user arguments that IOS XR passes to specific CLI commands.

“An attacker with a low-privileged account could exploit this vulnerability by using crafted commands at the prompt. A successful exploit could allow the attacker to elevate privileges to root,” Cisco explains.

Next in line is CVE-2024-20304 (CVSS score of 8.6), a bug impacting the Mtrace2 feature of IOS XR that could be exploited remotely, without authentication, to cause a denial-of-service (DoS) condition.

“This vulnerability exists because the Mtrace2 code does not properly handle packet memory. An attacker could exploit this vulnerability by sending crafted packets to an affected device,” the tech company explains.

Cisco also warned that two high-severity flaws affecting the Routed Passive Optical Network (PON) controller software that runs as a docker container on devices running IOS XR could be exploited for command injection, allowing authenticated attackers to execute commands as root or retrieve MongoDB credentials.

The two bugs, tracked as CVE-2024-20483 and CVE-2024-20489, impact NCS 540, NCS 5500, and NCS 5700 routers, and will be resolved with future updates, Cisco says.

On Wednesday, the tech company announced fixes for two other high-severity DoS flaws in its network OS, including one affecting the handling of specific Ethernet frames and another impacting the segment routing feature for the IS-IS routing protocol.

Advertisement. Scroll to continue reading.

Fixes were also announced for two medium-severity bugs in IOS XR that could allow attackers to read files from the underlying Linux operating system, or cause a DoS condition on XML TCP listen port 38751.

Cisco says it is not aware of any of these vulnerabilities being exploited in the wild. Additional information can be found in the company’s semiannual IOS XR software security advisory.

Related: Cisco Patches Critical Vulnerabilities in Smart Licensing Utility

Related: Cisco Systems Joins Microsoft, IBM in Vatican Pledge to Ensure Ethical Use and Development of AI

Related: Cisco Patches Code Execution Flaw in VPN Product 6 Months After Disclosure

Related: Cisco Adds Vulnerability Identification to Tetration Platform

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Former Darktrace CEO Poppy Gustafsson has joined the UK government as Minister for Investment.

Nupur Goyal has joined cloud identity security and management solutions provider Saviynt as VP of Product Marketing.

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.