A new security vulnerability pushed Cisco to urge enterprise administrators to install critical security updates. As always, a SMARTnet contract is not necessary to obtain fixed software for security vulnerabilities.
Vulnerability Details
CVE-2019-1848 is a Cisco DNA Center authentication bypass vulnerability. Due to insufficient access restriction to the ports necessary for system operation, an attacker may reach internal services that are not hardened for external access. 9.3 (out of 10) CVSS score identifies this as a critical requirement to be addressed. A successful exploit could also let an unauthenticated attacker connect an unauthorized network device to the subnet designated for cluster services. Please ensure that you are running release 1.3 or newer. Fixed software is not available through Cisco’s software center. There is an “update” feature within the DNA Center that call for the fixed software.
CVE-2019-1625 is a Cisco SD-WAN privilege escalation vulnerability. The source is an insufficient authorization enforcement. It could allow the attacker to make config changes to the system as the root user. CVSS score of 7.8. Impacted is any release of Cisco’s SD-WAN Solution prior to 18.3.6, 18.4.1, and 19.1.0. 18.4.1 is the minimum recommended image.
“High” and “Critical” advisories listed below:
| Advisory Alert | Impact |
|---|---|
|
Cisco RV110W, RV130W, and RV215W Routers Management Interface Remote Command Execution Security Vulnerability
|
Critical |
|
Cisco SD-WAN Solution Privilege Escalation Security Vulnerability
|
Critical |
|
Cisco DNA Center Authentication Bypass Security Vulnerability
|
Critical |
|
Cisco Prime Service Catalog Cross-Site Request Forgery Vulnerability
|
High |
|
Cisco TelePresence Endpoint Command Shell Injection Vulnerability
|
High |
|
Cisco StarOS Denial of Service Vulnerability
|
High |
|
Cisco SD-WAN Solution Privilege Escalation Vulnerability
|
High |
|
Cisco SD-WAN Solution Command Injection Vulnerability
|
High |
|
Cisco RV110W, RV130W, and RV215W Routers Management Interface Denial of Service Vulnerability
|
High |
|
Cisco Meeting Server CLI Command Injection Vulnerability
|
High |
|
Cisco Secure Boot Hardware Tampering Vulnerability
|
High |
|
Cisco IOS XE Software Web UI Cross-Site Request Forgery Vulnerability
|
High |
|
Cisco Industrial Network Director Remote Code Execution Vulnerability
|
High |
|
Cisco Unified Communications Manager IM&P Service, Cisco TelePresence VCS, and Cisco
Expressway Series Denial of Service Vulnerability |
High |
|
Cisco IOS XR Software BGP MPLS-Based EVPN Denial of Service Vulnerability
|
High |
As Cisco continues to surge toward becoming a software company, please consider the potential impact that a major exploit could have on organizations if the market continues to adopt opening their networks to Cisco’s software development and new licensing model.
Its not a matter of “if,” but rather “when?”