Cisco has released updates for several of its security, networking and cloud products to address over a dozen vulnerabilities, including high severity issues that can be used for command injections and denial-of-service (DoS) attacks.
The list of severe weaknesses includes two DoS vulnerabilities in Cisco’s Wireless LAN Controllers. The security holes, tracked as CVE-2017-12275 and CVE-2017-12278, allow attackers to cause affected devices to reload and enter a DoS condition.
Cisco has also fixed high severity flaws in some of its Aironet access points. The bugs, identified as CVE-2017-12273 and CVE-2017-12274, can be exploited by unauthenticated attackers that have access to devices via Layer 2 radio frequency to cause the system to enter a DoS condition by sending specially crafted requests.
As for security products, Cisco patched a severe vulnerability in some of its Firepower appliances. The flaw (CVE-2017-12277) allows an authenticated attacker to remotely inject commands that could get executed with root privileges.
Another security product patched this week is the Cisco Identity Services Engine (ISE), which has a privilege escalation bug (CVE-2017-12261) that could allow an authenticated local attacker to run arbitrary command-line interface (CLI) commands with elevated privileges.
The cloud products impacted by high severity flaws are the Prime Collaboration Provisioning application, which is affected by a SQL injection weakness that can be exploited remotely with authentication (CVE-2017-12276), and Cisco Application Policy Infrastructure Controller, which allows an unauthenticated attacker to gain privileged access to services only available on the internal network (CVE-2017-12262).
A majority of these flaws were discovered internally by Cisco and there is no evidence of exploitation for malicious purposes.
Related: Cisco Patches Critical Flaw in Cloud Services Platform
Related: Cisco Warns of Serious Flaws in IOS Software
Related: Cisco Fixes Critical Flaws in Ultra, Elastic Services Products
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- ChatGPT Hallucinations Can Be Exploited to Distribute Malicious Code Packages
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Several Major Organizations Confirm Being Impacted by MOVEit Attack
- Verizon 2023 DBIR: Human Error Involved in Many Breaches, Ransomware Cost Surges
- Google Patches Third Chrome Zero-Day of 2023
- Ransomware Group Used MOVEit Exploit to Steal Data From Dozens of Organizations
- Cybersecurity M&A Roundup: 36 Deals Announced in May 2023
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
Latest News
- OWASP’s 2023 API Security Top 10 Refines View of API Risks
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- ChatGPT Hallucinations Can Be Exploited to Distribute Malicious Code Packages
- Blumira Raises $15 Million for SMB-Tailored XDR Platform
- Microsoft Will Pay $20M to Settle US Charges of Illegally Collecting Children’s Data
- KeePass Update Patches Vulnerability Exposing Master Password
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Keep Aware Raises $2.4M to Eliminate Browser Blind Spots
