Cisco released several security patches addressing 36 vulnerabilities between October 3 and 4, three of which were rated “Critical” and eight of which were rated “High” with some of the exploits allowing an attacker to take control of an affected system.
Critical vulnerabilities include a Prime Infrastructure Arbitrary File Upload and Command Execution vulnerability, a digital network architecture center unauthenticated access vulnerability, and a Digital Network Architecture Center Authentication Bypass Vulnerability, according to the security updates.
The Prime Infrastructure Arbitrary File Upload and Command Execution flaw is a vulnerability in which the HTTP web server for Cisco Prime Infrastructure (PI) has unrestricted directory permissions and could allow an unauthenticated, remote attacker to upload an arbitrary file. It is caused by an incorrect permission setting for important system directories.
The Digital Network Architecture Center Unauthenticated Access Vulnerability is the result of an insecure default configuration of the affected system and the Digital Network Architecture Center Authentication Bypass Vulnerability is caused by insufficient security restrictions for critical management functions.
Cisco also released an update to address a “High” rated Linux Kernel IP Fragment Reassembly Denial of Service Vulnerability. This vulnerability could allow an unauthenticated remote attacker to carry out denial of service conditions on the victim’s device.
The bug affects Linux Kernel Version 3.9 and later and is caused by inefficient IPv4 and IPv6 fragment reassembly algorithms in the IP stack that is used by the affected kernel.