Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label High Severity. Show all posts

Cisco Releases Patches for Several High Severity Vulnerabilities

 

This week, Cisco addressed a number of high-severity flaws in its Web Security Appliance (WSA), Intersight Virtual Appliance, Small Business 220 switches, and other products. If all of these issues are successfully exploited, attackers may be able to cause a denial of service (DoS), perform arbitrary commands as root, as well as obtain administrator rights. 

Two high-severity vulnerabilities (CVE-2021-34779 and CVE-2021-34780) were discovered within the implementation of the Link Layer Discovery Protocol (LLDP) for Small Business 220 series smart switches, allowing arbitrary code execution and a denial of service condition. The business switch series software update additionally fixes four medium-severity security issues that could cause LLDP storage destruction on a vulnerable device. 

Inadequate input validation inside the Intersight Virtual Appliance is another serious flaw. The security vulnerability, identified as CVE-2021-34748, could allow arbitrary instructions to be executed with root rights. 

Cisco further patched two high-severity flaws in its ATA 190 series and ATA 190 series multiplatform (MPP) software this week. The issues, identified as CVE-2021-34710 and CVE-2021-34735, might be used to execute malicious code and create a denial of service (DoS) scenario, accordingly. 

One of these flaws was disclosed to Cisco by firmware security company IoT Inspector, which published an alert on Thursday 7th of October, detailing its observations. 

Cisco has fixed a race issue in the AnyConnect Secure Mobility Client for Linux and macOS that could've been exploited to execute arbitrary code having admin rights, as well as an inappropriate memory management vulnerability in AsyncOS for Web Security Appliance (WSA) that might result in DoS. 

CVE-2021-1594, an inadequate input validation vulnerability in the REST API of Cisco Identity Services Engine, is yet another high-severity weakness patched this week (ISE). An intruder in a man-in-the-middle position might leverage the issue to execute arbitrary instructions with root access by decrypting HTTPS data between two ISE personas on different nodes. 

Cisco also provided fixes for TelePresence CE and RoomOS, Smart Software Manager On-Prem, 220 series business switches, Identity Services Engine, IP Phone software, Email Security Appliance (ESA), DNA Center, and Orbital, which all have moderate issues. However, Cisco has issued patches for all these flaws and claims that exploits for them have not been publicly revealed.