Cisco Systems yesterday issued 17 security advisories, disclosing vulnerabilities in multiple products, including at least three critical flaws. One of them, a privileged access bug found in seven models of its Small Business Switches, has not yet been patched, but the company has recommended a workaround to limit its potential for damage.
Designated CVE-2018-15439 with a CVSS score of 9.8, the unsolved privileged access vulnerability could allow a remote attacker to bypass an affected device’s user authentication mechanism and obtain full admin rights without the proper administrators being notified. Although there is currently no software fix, a Cisco advisory says users can implement a workaround by “adding at least one user account with access privilege set to level 15 in the device configuration.”
Affected device models are the Cisco Small Business 200 Series Smart Switches, Small Business 300 Series Managed Switches, Small Business 500 Series Stackable Managed Switches, 250 Series Smart Switches, 350 Series Managed Switches, 350X Series Stackable Managed Switches and 550X Series Stackable Managed Switches.
The other critical flaws confirmed in Cisco products were an authentication bypass vulnerability in the Stealthwatch Management Console of Cisco Stealthwatch Enterprise and a remote shell command execution bug in Unity Express. These also carry CVSS scores of 9.8.
Cisco published a fourth critical advisory warning of a remote code execution bug in the Apache Struts Commons FileUpload Library; however, it is unknown at this time if any Cisco products and services are affected.
Additional vulnerabilities were found in the Cisco’s Meraki networking devices, Video Surveillance Media Server, Content Security Management Appliance, Registered Envelope Service, Price Service Catalog, Prime Collaboration Assurance, Meeting Server, Immunet and AMP for Endpoints, Firepower System Software, Energy Management Suite and Integrated Management Controller Supervisor.
And in one final, odd advisory, Cisco acknowledged that a flub in its QA practices allowed dormant exploit code for the Dirty Cow vulnerability to be included in shipping software images for its Expressway Series and Cisco TelePresence Video Communication Server (VCS) software.
“The presence of the sample, dormant exploit code does not represent nor allow an exploitable vulnerability on the product, nor does it present a risk to the product itself as all of the required patches for this vulnerability have been integrated into all shipping software images,” said the advisory. “The affected software images have proactively been removed from the Cisco Software Center and will soon be replaced with fixed software images.”