Cisco Systems on Wednesday issued a security update to repair a critical unauthorized access bug in its Cloud Services Platform (CSP) 2100.
According to a Cisco advisory, the CSP2100 flaw can be exploited by authenticated, remote attackers to interact with virtual machines operating on an affected device, causing "a complete loss of the system's confidentiality, integrity, and availability." Officially designated CVE-2017-12251, the bug was assigned a Common Vulnerability Scoring System (CVSS) base score of 9.9.
Cisco reports that the vulnerability is "due to weaknesses in the generation of certain authentication mechanisms in the URL of the web console," which allow malicious actors to browse to a hosted VM's URL and observe "specific patterns that control the web application's mechanisms for authentication control." The flaw, which has no workarounds, is is fixed with CSP 2100 release 2.2.3.
Additionally, Cisco published 15 other new security advisories on Oct. 18, including three addressing high-severity vulnerabilities. In these advisories, the company announced more fixes for a denial of service bug in the authentication, authorization, and accounting (AAA) implementation of its Firepower Extensible Operating System (FXOS) and NX-OS System Software, and a denial of service bug in various IP phone models.
Days earlier, the company published an advisory listing products affected by the high-profile set of KRACK vulnerabilities recently found in Wi-Fi devices. As of an Oct. 18 update, Cisco has announced that 69 of its products have been confirmed affected, with more under investigation. The company has also begun distributing its first fixed releases for wireless technology impacted by KRACK, with more to come in the following days.
