Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Cisco Patches High-Severity Vulnerabilities in Security Appliances, Business Switches

Cisco this week released patches for multiple high-severity vulnerabilities affecting its Web Security Appliance (WSA), Intersight Virtual Appliance, Small Business 220 switches, and other products.

Successful exploitation of these vulnerabilities could allow attackers to cause a denial of service (DoS) condition, execute arbitrary commands as root, or elevate privileges.

Cisco this week released patches for multiple high-severity vulnerabilities affecting its Web Security Appliance (WSA), Intersight Virtual Appliance, Small Business 220 switches, and other products.

Successful exploitation of these vulnerabilities could allow attackers to cause a denial of service (DoS) condition, execute arbitrary commands as root, or elevate privileges.

Two high-severity issues (CVE-2021-34779, CVE-2021-34780) were found in the Link Layer Discovery Protocol (LLDP) implementation for Small Business 220 series smart switches, leading to the execution of arbitrary code and a denial of service condition.

The software update released for the enterprise switch series also resolves four medium-severity security flaws that could result in LLDP memory corruption on an affected device.

Another severe vulnerability is an insufficient input validation in the Intersight Virtual Appliance. Tracked as CVE-2021-34748, the security hole could lead to the execution of arbitrary commands with root privileges.

This week Cisco also resolved two high-severity vulnerabilities in the ATA 190 series and ATA 190 series multiplatform (MPP) software. Tracked as CVE-2021-34710 and CVE-2021-34735, the flaws could be exploited for remote code execution and to cause a denial of service (DoS) condition, respectively.

One of these vulnerabilities was reported to Cisco by firmware security company IoT Inspector, which described its findings in an advisory published on Thursday.

Cisco also addressed an improper memory management flaw in AsyncOS for Web Security Appliance (WSA) that could lead to DoS, as well as a race condition in the AnyConnect Secure Mobility Client for Linux and macOS that could be abused to execute arbitrary code with root privileges.

Advertisement. Scroll to continue reading.

Another high-severity flaw addressed this week is CVE-2021-1594, an insufficient input validation in the REST API of Cisco Identity Services Engine (ISE). An attacker in a man-in-the-middle position able to decrypt HTTPS traffic between two ISE personas on separate nodes could exploit the flaw to execute arbitrary commands with root privileges.

Cisco also released patches for multiple medium-severity flaws affecting TelePresence CE and RoomOS, Smart Software Manager On-Prem, 220 series business switches, Identity Services Engine, IP Phone software, Email Security Appliance (ESA), DNA Center, and Orbital.

Cisco has released patches for these vulnerabilities and says it is not aware of exploits for them being publicly disclosed. Additional details on the resolved issues can be found on Cisco’s security portal.

Related: Cisco Patches Critical Vulnerabilities in IOS XE Software

Related: Cisco Patches High-Severity Security Flaws in IOS XR

Related: Cisco Patches Critical Enterprise NFVIS Vulnerability for Which PoC Exploit Is Available

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

PAM provider Keeper Security has appointed Shane Barney as its Chief Information Security Officer.

SpecterOps has appointed Tim Bender as CFO, Pat Sheridan as CRO, and Bryce Hein as CMO.

CISA has officially announced the appointment of Madhu Gottumukkala as its new deputy director.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.