Cisco Systems is warning of six critical vulnerabilities impacting a wide range of its products, including its Unified Computing System server line and its small business 220 Series Smart switches. In all instances of the vulnerabilities, a remote unauthenticated attacker could take over targeted hardware.
Four of the critical bugs (CVE-2019-1938, CVE-2019-1935, CVE-2019-1974 and CVE-2019-1937) impact Cisco’s Unified Computing System (UCS) components. Each has a critical-severity rating and a CVSS score of 9.8.
One of the bugs (CVE-2019-1935) is a default-user-credential flaw and impacts Cisco Integrated Management Controller Supervisor, Cisco UCS Director and Cisco UCS Director Express for Big Data SCP. The bug “could allow an unauthenticated, remote attacker to log in to the CLI of an affected system by using the SCP User account (scpuser), which has default user credentials,” according to Cisco.
Another UCS bug (CVE-2019-1938) impacts Cisco UCS Director and Cisco UCS Director Express for Big Data API. In this case, a “vulnerability in the web-based management interface of Cisco UCS Director and Cisco UCS Director Express for Big Data could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrator privileges on an affected system,” Cisco said.
With each of the four UCS bugs, Cisco said, no known public exploits are available and systems impacted by the flaws have not been attacked. Patches are available for each of the four flaws.
Cisco 220 Series Smart Switch Users Urged to Patch
Cisco also warning of two remote code execution bugs impacting its small business 220 Series Smart switches. In both cases, an unauthenticated remote adversary can trigger a buffer overflow attack and execute arbitrary code to gain control of the switch’s operating system.
Public exploit code for both critical bugs is available online, however there are no reported incidents leveraging the bugs, Cisco said. Both bugs (CVE-2019-1913 and CVE-2019-1912) were first made public Aug. 6 , but on Wednesday were updated with additional information.
The most serious of the 220 Series Smart switch bugs (CVE-2019-1913) has a CVSS rating of 9.8. According to Cisco, the small business 220 Series Smart switch vulnerability is “due to insufficient validation of user-supplied input and improper boundary checks when reading data into an internal buffer. An attacker could exploit these vulnerabilities by sending malicious requests to the web management interface of an affected device. Depending on the configuration of the affected switch, the malicious requests must be sent via HTTP or HTTPS.”
Vulnerable 220 switches are running firmware 18.104.22.168 with the web management interface enabled.
“To determine whether the web management interface is enabled via either HTTP or HTTPS, administrators can use the show running-config command on the device CLI. If both of the following lines are present in the configuration, the web management interface is disabled and the device is not vulnerable,” wrote Cisco.
In both cases, Cisco credited researchers at VDOO Disclosure Program for identifying the critical vulnerabilities.
Wednesday’s critical bug news was part of a wider disclosure of vulnerabilities by Cisco that included three medium severity bugs. Two of the flaws (CVE-2019-1914 and CVE-2019-1949) affect Cisco’s 220 series switch and the company’s Firepower Management Center.
The third medium-severity bug (CVE-2019-9506) is tied to Microsoft’s August Patch Tuesday disclosure of the so-called DejaBlue vulnerability. Cisco lists six IP-based phones impacted by the flaw along with versions (DX70 and DX80) of its Webex collaboration software.
Interested in more on the internet of things (IoT)? Don’t miss our free Threatpost webinar, “IoT: Implementing Security in a 5G World.” Please join Threatpost senior editor Tara Seals and a panel of experts as they offer enterprises and other organizations insight about how to approach security for the next wave of IoT deployments, which will be enabled by the rollout of 5G networks worldwide. Click here to register.