Network Security, Patch/Configuration Management, Vulnerability Management

Latest batch of Cisco updates patches 28 bugs, two critical

Cisco Systems yesterday issued 28 security updates that patch vulnerabilities found in a variety of products, including two critical bugs that were assigned a CVSS (Common Vulnerability Scoring System) base score of 9.8.

The first critical-impact bug, CVE-2018-0321, consists of an insecure open port found in the Network Interface and Configuration Engine (NICE) service of Cisco Prime Collaboration Provisioning (PCP), releases 11.6 and earlier. According to a Cisco advisory, the flaw can allow an unauthenticated remote attacker to access the Java Remote Method Invocation (RIM) system.

"An attacker could exploit this vulnerability by accessing the open RMI system on an affected PCP instance," the advisory states. "An exploit could allow the attacker to perform malicious actions that affect PCP and the devices that are connected to it."

Overall, Cisco fixed a total of seven vulnerabilities in PCP, six of which were rated high-impact or worse.

The other critical bug is CVE-2018-0315, a remote code execution and denial of service vulnerability found in the authentication, authorization and account (AAA) security services of certain releases of Cisco IOS XE Software.

Another Cisco advisory says the problem is "caused by incorrect memory operations that the affected software performs when the software parses a username during login authentication. An attacker could exploit this vulnerability by attempting to authenticate to an affected device."

Affected devices are those that are running Cisco IOS XE Software Release Fuji 16.7.1 or Fuji 16.8.1 and are configured to use AAA for login authentication.

Aside from the two critical flaws, there were 11 high-impact bugs and 15 medium-severity issues. The affected products are Cisco's Web Security Appliance; Network Services Orchestrator; IP Phone 6800, 7800 and 8800 Series; multiple voice operating system-based products; Meeting Service; Adaptive Security Appliance; Unified IP Phone Software; WebEx; Wide Area Application Services Software; Integrated Management Controller Supervisor; UCS Director; Unified Computing System; Unified Communications Manager; FireSIGHT System; and AnyConnect Secure Mobility Client.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.