Cisco patched several routers and firewall products, including critical flaws affecting Aggregation Services Routers 900 Series routers and Prime Home Servers.
A 900 Series buffer overflow critical vulnerability (CVE-2016-6441) in the TL1 management protocol code of the routers could be exploited by remote attackers to execute arbitrary code by sending a malicious request to the TL1 port. Workarounds exist for the flaw.
An authentication bypass flaw (CVE-2016-6452) in Prime Home server's web-based graphical user interface (GUI) could be exploited by a remote attacker to bypass authentication and gain full administrator privileges. There is no workaround available for the critical vulnerability.
An attacker could exploit the flaw to obtain a valid session identifier for an arbitrary user. The attacker could then “perform any actions in Cisco Prime Home for which that user is authorized—including users with administrator privileges,” Cisco wrote in a security advisory.