Patch/Configuration Management, Vulnerability Management

Cisco patches multiple vulnerabilities

Cisco released 14 security advisories on January 8 with two being rated as having a potentially high impact and the remainder listed as medium issues.

The two rated high are CVE-2019-16005 and CVE-2019-16009.

The first is a Cisco Webex video mesh node comm and injection vulnerability that if exploited could allow an authenticated, remote attacker to execute arbitrary commands on the affected system.

The latter is a vulnerability in the web UI of Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. This is due to insufficient CSRF protections for the web UI on an affected device.

The medium-rated CVE-2020-3116 is vulnerability in the way Cisco Webex applications process Universal Communications Format (UCF) files that could allow an attacker to cause a DoS condition. This flaw can be exploited if an attacker sends a user a malicious UCF file through a link or email attachment and persuades the user to open the file with the affected software on the local system.

The company also noted a vulnerability in the web-based GUI of its IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware. If exploited it could allow an authenticated, remote attacker to conduct a XSS attack against a user of the web-based interface of an affected system.

Patches are available for all the vulnerabilities and Cisco recommends users update their systems accordingly.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.