Cisco patched two vulnerabilities, one rated critical and one high, that if exploited could allow an attacker to execute code.
The critical issue, CVE-2019-1663, is a problem affecting the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall, RV130W Wireless-N Multifunction VPN Router, and RV215W Wireless-N VPN Router, Cisco reported.
The issue is due to is due to the improper validation of user-supplied data in the web-based management interface. This can be exploited by sending a malicious HTTP request to one of the above-mentioned devices with the possible result that the attacker will be able to execute code on the underlying operating system as a higher-privileged user.
Cisco is recommending users update the affected device to install the patch.
The high-rated vulnerability, CVE-2019-1674, is in the update service of its Webex Meetings Desktop App and Webex Productivity Tools for Windows. If left unpatched a local attacker execute arbitrary commands as a privileged user, the company stated. The problem is due to insufficient validation of user-supplied parameters allowing an attacker to exploit this vulnerability by using the update service command with a crafted argument. If properly exploited the flaw could allow the attacker to run arbitrary commands with SYSTEM user privileges.
However, there is also a scenario that could allow such an attack remotely.
“While the CVSS Attack Vector metric denotes the requirement for an attacker to have local access, administrators should be aware that in Active Directory deployments, the vulnerability could be exploited remotely by leveraging the operating system remote management tools,” Cisco said.
Updates have been issued to correct this problem.