Cisco released a set of patches for IOS

A new set of patches for Cisco products covers three dozens of vulnerabilities, including 13 very dangerous ones. The vast majority of bug fixes were found in various components of the iOS and IOS XE operating systems.

The most serious vulnerability (CVE-2019-12648) was rated 9.9 on the CVSS scale. Apparently, it was introduced when creating the application environment for IOS – IOx, which facilitates the collection and processing of data in IoT networks of industrial enterprises.

According to Cisco Bulletin, the problem arose due to improper organization of access control for Linux guest OS on iOS devices. As a result, all users with a minimum set of rights have the opportunity to increase their privileges in the guest OS to root.

“The vulnerability is due to incorrect role-based access control (RBAC) evaluation when a low-privileged user requests access to a Guest OS that should be restricted to administrative accounts. An attacker could exploit this vulnerability by authenticating to the Guest OS by using the low-privileged-user credentials. An exploit could allow the attacker to gain unauthorized access to the Guest OS as a root user”, — report Cisco specialists.

The vulnerability affects Cisco industrial routers 800 and 1000 series, which run guest OSs.
The remaining high-risk bugs received less than nine points in CVSS; almost all of them face a denial of service.

Read also: VMware has patched six vulnerabilities in its products

Such, for example, is the CVE-2019-1901 buffer overflow error (8.8 points) in the software of Cisco Nexus 9000 series switches operating in the program-oriented infrastructure mode. The vulnerability allows using a special LLDP package filed directly to the device interface to cause a failure or execute any code with root privileges.

“A successful exploit may lead to a buffer overflow condition that could either cause a DoS condition or allow the attacker to execute arbitrary code with root privileges.This vulnerability cannot be exploited by transit traffic through the device; the crafted packet must be targeted to a directly connected interface”, — inform Cisco employees.

Other DoS problems in iOS and IOS XE are rated at 8.6 points on the CVSS scale.

The last time when Cisco patched a multi-tasking OS for its network devices was at the end of August. At that time, the developers eliminated an extremely dangerous bug – 10 points, which appeared in the code that manages the REST API authentication service. The problem allowed using a malicious HTTP package to get the current user ID token and use it to perform various actions on a network device on behalf of the victim.

William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several month after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master degree in cybersecurity, I've started working in as virus analyst in a little anti-malware vendor. In 2018, I've decided to start Virus Removal project. The main target of this site is to help people to deal with PC viruses of any kind.

Leave a Reply

Your email address will not be published. Required fields are marked *


Back to top button