Cisco warned customers of 12 vulnerabilities across its product line this week, including a critical vulnerability in the software that powers its conferencing product, WebEx Meetings Server.
The company stressed on Wednesday that version 2.6 of its WebEx Meetings Server is vulnerable to a remote command execution vulnerability. If exploited, the bug could enable an attacker to inject arbitrary commands on a system with elevated privileges.
The issue, the most pressing among all the fixes pushed by Cisco this week, stems from the insufficient sanitization of user-supplied data, according to an advisory published by the company on Wednesday. U.S. CERT also published an alert today with links to all 12 Cisco advisories.
Seven of the 12 vulnerabilities can lead to a denial of service condition on devices, Cisco warns. The company considers three of those vulnerabilities high severity, but has only patched one of them, in WebEx Meetings Server. Unless users have updated to the new version, 2.7, the software will not have the computational power to handle repeated attempts to access the device and could crash.
Patches for another high-severity DoS vulnerability, which stems from the way Cisco’s ACE30 Application Control Engine Module and ACE 4700 Series Application Control Engine handles SSL/TLS won’t be available for another two and a half months, Cisco said. The modules, application-delivery systems for switches and routers, fail to complete input validation checks in SSL/TLS code. There are no workarounds for the vulnerability, so those running the switch software will have to wait until Nov. 30 for a fix.
The remaining high severity DoS issue deals with a vulnerability in Internet Protocol version 6 (IPv6), so it isn’t Cisco specific, but the company said it will release an update in the future to fix the vulnerability, which stems from insufficient processing logic.
The rest of the advisories deal with less pressing bugs, a command line interface (CLI) vulnerability, an arbitrary file write vulnerability, and cross-site-scripting vulnerability.
Cisco has fixed two of the bugs; the arbitrary file write vulnerability, which exists in its Fog Director for IOx middleware, and the XSS bug, which exists in the company’s IOS and IOS XE infrastructure software.
Users will have to sit tight and wait for a patch for the CLI vulnerability, which can lead to privilege escalation and allow a local attacker to access Cisco’s Unified Computing System with the privileges of the root user. The advisory is a warning, but Cisco claims there’s no workaround or patch available yet.
Cisco also took a moment this week to clarify that it will not issue a fix for many of its routers and access points that suffer from a cryptographic vulnerability announced last year. The company issued an advisory around the issue last November. In it, Cisco said that due to the lack of unique key and certificate generation within some appliances – VPN routers, security routers, access points and firewalls made by the company – they may be vulnerable to man-in-the-middle attacks.
The company confirmed Tuesday that it will not provide a fix for 21 of the 24 devices affected by the vulnerability.
If exploited, the flaw – discovered by Stefan Viehböck, senior security consultant at SEC Consult Vulnerability Lab – could enable an attacker to decrypt confidential information on user connections.
