Cisco Disclosed Critical Security Flaws in its Software.
Cisco released its semiannual Cisco iOS and iOS XE Software Security Advisory Bundled Publication.
Thd Security Advisory Bundled Publication includes 23 Cisco Security Advisories that describe 25 vulnerabilities in its iOS Software and IOS XE Software.
Cisco has released software updates that address these vulnerabilities.
In the recent Cisco advisories, 20 vulnerabilities are High and Three are Critical.
- One vulnerability affects Cisco IOS, IOS XE, IOS XR, and NX-OS Software.
- Five vulnerabilities affect both Cisco IOS and IOS XE Software.
- Six vulnerabilities affect its IOS Software and 10 affect IOS XE Software.
- Three vulnerabilities affect the Cisco IOx application environment.
Following Vulnerabilities are Critical.
Cisco IOS Software for Cisco Industrial Routers Virtual Device Server Inter-VM Channel Command Injection Vulnerability.
A vulnerability in the implementation of the inter-VM channel of Cisco IOS Software for Cisco 809 and 829 Industrial Integrated Services Routers (Industrial ISRs) and Cisco 1000 Series Connected Grid Routers (CGR1000) could allow an unauthenticated, adjacent attacker to execute arbitrary shell commands on the Virtual Device Server (VDS) of an affected device.
The vulnerability is due to insufficient validation of signaling packets that are destined to VDS. An attacker could exploit this vulnerability by sending malicious packets to an affected device. A successful exploit could allow the attacker to execute arbitrary commands in the context of the Linux shell of VDS with the privileges of the root user. Because the device is designed on a hypervisor architecture, exploitation of a vulnerability that affects the inter-VM channel may lead to a complete system compromise.
Cisco IOS Software for Cisco Industrial Routers Arbitrary Code Execution Vulnerabilities
Multiple vulnerabilities in Cisco IOS Software for Cisco 809 and 829 Industrial Integrated Services Routers (Industrial ISRs) and Cisco 1000 Series Connected Grid Routers (CGR1000) could allow an unauthenticated, remote attacker or an authenticated, local attacker to execute arbitrary code on an affected system or cause an affected system to crash and reload.
Cisco IOx for IOS XE Software Privilege Escalation Vulnerability
A vulnerability in the authorization controls for the Cisco IOx application hosting infrastructure in Cisco IOS XE Software could allow an unauthenticated, remote attacker to execute Cisco IOx API commands without proper authorization.
The vulnerability is due to incorrect handling of requests for authorization tokens. An attacker could exploit this vulnerability by using a crafted API call to request such a token. An exploit could allow the attacker to obtain an authorization token and execute any of the IOx API commands on an affected device.
All the vulnerabilities have been Patched now. Cisco has released software updates that address the vulnerability.