Your review has been sent successfully

Cisco Updates

2217
Classification
These posts contain security alerts, including digital loopholes, electronic attacks, technical updates, and they are classified base on the level of severity.

Critical

High

Medium

Low

Warning Date

Severity Level

Warning Number

Target Sector

4 June, 2020

● High

2020-1318

All

Description:

Cisco has released security updates to address multiple vulnerabilities in the following products:

  • Cisco Application Services Engine Software
    • Prior to 1.1.2.20.
  • Cisco ASR 920 Series Aggregation Services Router model ASR920-12SZ-IM
    • if it is configured with both SNMP (either Version 2c or 3) and Cisco Discovery Protocol.
  • Cisco Catalyst 2960-L Series Switches and Cisco Catalyst CDB-8P Switches
    • that are running a vulnerable release of Cisco IOS Software with 802.1X port-based authentication
  • Cisco IOx Application Framework
    • release earlier than Release 1.9.0:
      • 800 Series Industrial Integrated Services Routers (Industrial ISRs)
      • 800 Series Integrated Services Routers (ISRs)
      • 1000 Series Connected Grid Routers (CGR1000) Compute Module
  • IC3000 Industrial Compute Gateway
    • Industrial Ethernet (IE) 4000 Series Switches
  • IOS XE-based devices:
    • 1000 Series ISRs
    • 4000 Series ISRs
  • ASR 1000 Series Aggregation Services Routers
  • Catalyst 9x00 Series Switches
  • Catalyst IE3400 Rugged Series Switches
  • Embedded Services 3300 Series Switches
  • IR510 WPAN Industrial Routers
  • Cisco DNA Center software
    • releases earlier than Release 1.3.3.3.
  • Cisco Catalyst 9800 Series Wireless Controllers
    • if they were running a vulnerable release of Cisco IOS XE Software and processed device analytics from supported Apple devices
  • Cisco IOS XE Software and processed device analytics
    • supported Apple devices.
  • Cisco 4300 Series Integrated Services Routers and Cisco Catalyst 9800-L Wireless Controllers
    • running a vulnerable release of Cisco IOS XE Software and were configured for IPsec VPN.
  • Cisco ISE software releases:
    • Earlier than Release 2.2.0.470-Patch13
    • Earlier than Release 2.3.0.298-Patch6
    • Earlier than Release 2.4.0.357-Patch2
  • Cisco Prime Infrastructure software
    • releases earlier than Release 3.7.1 Update 01 and Release 3.8 Update 02.
  • Cisco products:
    • Cisco IOS Software
    • Cisco IOS XR Software
    • Cisco NX-OS Software
  • Cisco devices
    • that are running a vulnerable release of Cisco IOS XE Software.
  • Cisco NX-OS Software with support for SXP version 4 (SXPv4):
    • Nexus 7000 Series Switches — Release 8.0(1) only
    • Nexus 1000 Virtual Edge for VMware vSphere
    • Nexus 1000V Switch for VMware vSphere
  • Cisco devices
    • running a vulnerable release of Cisco IOS or IOS XE Software.
  • Cisco Unified CCX software
  • releases earlier than Release 12.5(1).
  • Cisco IOS XE Software
  • Cisco IOS or IOS XE Software
    • IKEv2 features configured.
  • Cisco products if they are running a vulnerable release of Cisco IOS Software:
    • Cisco 809 and 829 Industrial ISRs
    • CGR1000
  • Cisco IOS, IOS XE, or IOS XR Software
    • onePK feature enabled.
  • Cisco Catalyst 9800 Series Wireless Controllers
    • running a vulnerable release of Cisco IOS XE Software and are configured with LSCs.
  • Cisco Catalyst 9800 Series Wireless Controllers
    • running a vulnerable release of Cisco IOS XE Software and have the Application Visibility and Control (AVC) feature enabled.

Threats:

Remote attacker could exploit these vulnerabilities by doing the following:

  • Execute arbitrary code remotely
  • Authentication bypass
  • Execute arbitrary code as a root
  • Send and receive broadcast traffic before authentication
  • Overwrite files
  • Use those credentials to discover and manage network devices
  • Man-in-the-middle attack.
  • Cross-site scripting (XSS)
  • SQL injection
  • Privilege Escalation remotely
  • Command Injection

Best practice and Recommendations:

The CERT team encourages users to review Cisco security advisory and apply the necessary updates:

Last updated at 4 June, 2020

Rate the content

rate-icon
up icon