Malware, Network Security, Patch/Configuration Management, Vulnerability Management

Cisco fixes two critical bugs, recommends workaround for a third

Cisco Systems yesterday issued 17 security advisories, disclosing vulnerabilities in multiple products, including at least three critical flaws. One of them, a privileged access bug found in seven models of its Small Business Switches, has not yet been patched, but the company has recommended a workaround to limit its potential for damage.

Designated CVE-2018-15439 with a CVSS score of 9.8, the unsolved privileged access vulnerability could allow a remote attacker to bypass an affected device's user authentication mechanism and obtain full admin rights without the proper administrators being notified. Although there is currently no software fix, a Cisco advisory says users can implement a workaround by "adding at least one user account with access privilege set to level 15 in the device configuration."

Affected device models are the Cisco Small Business 200 Series Smart Switches, Small Business 300 Series Managed Switches, Small Business 500 Series Stackable Managed Switches, 250 Series Smart Switches, 350 Series Managed Switches, 350X Series Stackable Managed Switches and 550X Series Stackable Managed Switches.

The other critical flaws confirmed in Cisco products were an authentication bypass vulnerability in the Stealthwatch Management Console of Cisco Stealthwatch Enterprise and a remote shell command execution bug in Unity Express. These also carry CVSS scores of 9.8.

Cisco published a fourth critical advisory warning of a remote code execution bug in the Apache Struts Commons FileUpload Library; however, it is unknown at this time if any Cisco products and services are affected.

Additional vulnerabilities were found in the Cisco's Meraki networking devices, Video Surveillance Media Server, Content Security Management Appliance, Registered Envelope Service, Price Service Catalog, Prime Collaboration Assurance, Meeting Server, Immunet and AMP for Endpoints, Firepower System Software, Energy Management Suite and Integrated Management Controller Supervisor.

And in one final, odd advisory, Cisco acknowledged that a flub in its QA practices allowed dormant exploit code for the Dirty Cow vulnerability to be included in shipping software images for its Expressway Series and Cisco TelePresence Video Communication Server (VCS) software. 

"The presence of the sample, dormant exploit code does not represent nor allow an exploitable vulnerability on the product, nor does it present a risk to the product itself as all of the required patches for this vulnerability have been integrated into all shipping software images," said the advisory. "The affected software images have proactively been removed from the Cisco Software Center and will soon be replaced with fixed software images."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.