Cisco has released updates for several of its security, networking and cloud products to address over a dozen vulnerabilities, including high severity issues that can be used for command injections and denial-of-service (DoS) attacks.
The list of severe weaknesses includes two DoS vulnerabilities in Cisco’s Wireless LAN Controllers. The security holes, tracked as CVE-2017-12275 and CVE-2017-12278, allow attackers to cause affected devices to reload and enter a DoS condition.
Cisco has also fixed high severity flaws in some of its Aironet access points. The bugs, identified as CVE-2017-12273 and CVE-2017-12274, can be exploited by unauthenticated attackers that have access to devices via Layer 2 radio frequency to cause the system to enter a DoS condition by sending specially crafted requests.
As for security products, Cisco patched a severe vulnerability in some of its Firepower appliances. The flaw (CVE-2017-12277) allows an authenticated attacker to remotely inject commands that could get executed with root privileges.
Another security product patched this week is the Cisco Identity Services Engine (ISE), which has a privilege escalation bug (CVE-2017-12261) that could allow an authenticated local attacker to run arbitrary command-line interface (CLI) commands with elevated privileges.
The cloud products impacted by high severity flaws are the Prime Collaboration Provisioning application, which is affected by a SQL injection weakness that can be exploited remotely with authentication (CVE-2017-12276), and Cisco Application Policy Infrastructure Controller, which allows an unauthenticated attacker to gain privileged access to services only available on the internal network (CVE-2017-12262).
A majority of these flaws were discovered internally by Cisco and there is no evidence of exploitation for malicious purposes.
Related: Cisco Patches Critical Flaw in Cloud Services Platform
Related: Cisco Warns of Serious Flaws in IOS Software
Related: Cisco Fixes Critical Flaws in Ultra, Elastic Services Products
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Zyxel Firewalls Hacked by Mirai Botnet
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
- Drop in Insider Breaches Drives Decline in Intrusions at OT Organizations
- Zero-Day Vulnerability Exploited to Hack Barracuda Email Security Gateway Appliances
- OAuth Vulnerabilities in Widely Used Expo Framework Allowed Account Takeovers
- New Honeywell OT Cybersecurity Solution Helps Identify Vulnerabilities, Threats
- Rheinmetall Says Military Business Not Impacted by Ransomware Attack
Latest News
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
- Google Cloud Users Can Now Automate TLS Certificate Lifecycle
- Zyxel Firewalls Hacked by Mirai Botnet
- Watch Now: Threat Detection and Incident Response Virtual Summit
- NCC Group Releases Open Source Tools for Developers, Pentesters
- Memcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
