Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Several Vulnerabilities Found in Cisco Industrial Network Director

Cisco on Wednesday informed customers that several vulnerabilities, including a code execution flaw classified as “high severity,” have been found in the company’s Industrial Network Director product.

Cisco on Wednesday informed customers that several vulnerabilities, including a code execution flaw classified as “high severity,” have been found in the company’s Industrial Network Director product.

Cisco Industrial Network Director is specifically designed for managing industrial networks and it allows operations teams to gain full visibility into their automation network.

While conducting internal security testing, Cisco employees identified three types of vulnerabilities in Industrial Network Director. The most serious of them, tracked as CVE-2019-1861 with a CVSS score of 7.2, is a remote code execution flaw.

While these types of vulnerabilities can be dangerous, Cisco’s advisory reveals that exploitation of CVE-2019-1861 requires the attacker to authenticate on the targeted system with admin privileges and upload a malicious file. This would allow them to execute arbitrary code with elevated privileges.

The security hole has been patched with the release of version 1.6.0. Prior versions are impacted.

Cisco also discovered that Industrial Network Director is affected by a stored cross-site scripting (XSS) vulnerability that can be exploited remotely by an authenticated attacker for XSS attacks, and a cross-site request forgery (CSRF) flaw that allows an unauthenticated attacker to perform arbitrary actions on the targeted device by getting a legitimate user to click on a malicious link.

The XSS and CSRF vulnerabilities have been classified as “medium severity” and they have not been patched.

Learn More About Vulnerabilities in Industrial Products at SecurityWeek’s 2019 ICS Cyber Security Conference

Advertisement. Scroll to continue reading.

Cisco also informed customers on Wednesday that the authentication system used by Cisco Unified Communications Manager IM and Presence (Unified CM IM&P), TelePresence Video Communication Server (VCS), and Expressway Series is affected by a security hole that can be exploited remotely without authentication for denial-of-service (DoS) attacks. Patches have been released for this vulnerability.

Another interesting vulnerability disclosed by Cisco this week affects the BIOS upgrade utility for Unified Computing System (UCS) C-Series Rack Servers. A local, authenticated attacker can install a malicious BIOS on affected devices due to insufficient validation of firmware images. A patch has not been released.

Related: Rockwell Patches Stratix Switch Flaws Introduced by Cisco Software

Related: Default Account in Cisco CSPC Allows Unauthorized Access

Related: Cisco Patches Critical Vulnerability in Data Center Switches

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

Cybersecurity and data protection company Acronis has appointed Gerald Beuchelt as CISO.

Adam Zoller has joined CrowdStrike as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.