Cisco released 17 security updates for its products. Ten patches fix vulnerabilities with a high hazard rating, including unauthorized access, denial of service, privilege escalation, and other bugs.
Updates affect system software for Web Security Appliance (WSA) series devices, Nexus 9000 communications equipment, Small Business line switches, and a number of other software and hardware solutions from the manufacturer.The most serious vulnerability, which experts rated at 8.6 on the CVSS scale, has been eliminated in Cisco Unified Communications Manager, a central element of the enterprise-wide communication environment.
As follows from the description of CVE-2019-1887, deficiencies in the implementation of the session establishment protocol (SIP) allowed an attacker to send a malicious packet to the system and start the process of registering a new device on all the phones connected to it.
“A successful exploit could allow the attacker to trigger a new registration process on all connected phones, temporarily disrupting service or could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition”, – Describe the problem in Cisco.
Another bug with a rating of 8.6 points by CVSS is identified as CVE-2019-1886 and is associated with the decoding of HTTPS traffic by the AsyncOS software installed on the WSA devices (by default, the HTTPS Proxy option is disabled).
According to Cisco experts, the vulnerability is caused by the inadequacy of SSL certificate validation; an attacker could install an invalid certificate on a web server and submit a request for it through WSA. This will cause the proxy process to reboot and denial of service. To solve the problem, the manufacturer has released AsyncOS 10.5.5-005 and 11.5.2-020.
In release 11.7, this problem does not appear.
“Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability”, — reported in company.
A similar vulnerability in the same product allowed an attacker completely stop the processing of network traffic on the target device using a malicious HTTP / HTTPS request. Bug CVE-2019-1884 received 7.7 CVSS points; it is relevant for AsyncOS 11.7 and earlier builds, for which the manufacturer has released several patches.
Two deficiencies in network function virtualization (NFV) solutions are fixed by the release of Cisco Enterprise NFVIS 3.11.2. Vulnerability CVE-2019-1893 allowed the local introduction of commands and their execution with root privileges in device’ s base operating system.
Read also: Godlua became the first threat in history of information security that abuses the DoH protocol
The second bug, registered as CVE-2019-1894, allowed for those who have administrator rights, remotely overwrite or read any files. The problems are estimated at 7.8 and 7.2 points, respectively.
The firmware of the managed switches of the Small Business Series 200, 300 and 500 lines contained errors that allowed cybercriminals to cause a denial of service on the target device. The bugs identified as CVE-2019-1891 and CVE-2019-1892 are associated with flaws in the web interface and SSL handler. Both vulnerabilities received 7.5 CVSS points and fixed in release 1.4.10.6 of system software.
The remaining bugs that received a high hazard rating are related to:
- bypassing the security system of Nexus 9000 fiber switches (CVE-2019-1890, 7.4 CVSS points);
- the ability to preload the malicious library in the Cisco Jabber corporate messenger (CVE-2019-1855, 7.3 CVSS points);
- privilege escalation when working through the RESTAPI cluster of APIC controllers (CVE-2019-1889, 7.2 CVSS points).
The patch set also included several fixes for less serious vulnerabilities with a CVSS rating from 5.3 to 6.8 points. They are related to Cisco IP Phone 7800 and 8800 firmware, ISO XR operating system, Firepower firewall, and other products.