Cisco patches critical flaws affecting device software
Cisco patched two critical vulnerabilities and a high severity flaw that allow attackers to bypass authentication.
Cisco patched two critical vulnerabilities and a high severity flaw Wednesday that allow attackers to bypass authentication.
The more serious flaw affects the company's lightweight directory access protocol (LDAP) authentication, a software protocol used to locate files and devices within a network. The flaw (CVE-2016-1416) could be used by a remote attacker to bypass authentication and gain full admin privileges. Cisco's Prime Collaboration Provisioning version 10.6 is affected if service pack 2 is installed. The network equipment manufacturer issued a 10.0 CVSS score for the vulnerability.
The company also released a patch for a flaw (CVE-2016-1289) that affects APIs used by Cisco Prime infrastructure and EPNM. The flaw could be exploited by a remote attacker to bypass Uniform Resource Identifier authentication, allowing a remote attacker to send specially crafted HTTP requests and allow malicious code to be uploaded to the server.
The company also released a patch for a less severe flaw (CVE-2016-1394) that could allow a remote attacker to bypass authentication for the Cisco firepower software and access devices with a default account. The account does not have access to administrative privileges. There are no available workarounds for the three vulnerabilities.