Cisco Systems yesterday issued 28 security updates that patch vulnerabilities found in a variety of products, including two critical bugs that were assigned a CVSS (Common Vulnerability Scoring System) base score of 9.8.
The first critical-impact bug, CVE-2018-0321, consists of an insecure open port found in the Network Interface and Configuration Engine (NICE) service of Cisco Prime Collaboration Provisioning (PCP), releases 11.6 and earlier. According to a Cisco advisory, the flaw can allow an unauthenticated remote attacker to access the Java Remote Method Invocation (RIM) system.
“An attacker could exploit this vulnerability by accessing the open RMI system on an affected PCP instance,” the advisory states. “An exploit could allow the attacker to perform malicious actions that affect PCP and the devices that are connected to it.”
Overall, Cisco fixed a total of seven vulnerabilities in PCP, six of which were rated high-impact or worse.
The other critical bug is CVE-2018-0315, a remote code execution and denial of service vulnerability found in the authentication, authorization and account (AAA) security services of certain releases of Cisco IOS XE Software.
Another Cisco advisory says the problem is “caused by incorrect memory operations that the affected software performs when the software parses a username during login authentication. An attacker could exploit this vulnerability by attempting to authenticate to an affected device.”
Affected devices are those that are running Cisco IOS XE Software Release Fuji 16.7.1 or Fuji 16.8.1 and are configured to use AAA for login authentication.
Aside from the two critical flaws, there were 11 high-impact bugs and 15 medium-severity issues. The affected products are Cisco’s Web Security Appliance; Network Services Orchestrator; IP Phone 6800, 7800 and 8800 Series; multiple voice operating system-based products; Meeting Service; Adaptive Security Appliance; Unified IP Phone Software; WebEx; Wide Area Application Services Software; Integrated Management Controller Supervisor; UCS Director; Unified Computing System; Unified Communications Manager; FireSIGHT System; and AnyConnect Secure Mobility Client.