Cisco has patched a string of serious vulnerabilities in its IOS networking software, including some that could be used for remote code execution, and also fixed flaws in some of its other products. In all, Cisco released 10 advisories, nine of which concerned IOS vulnerabilities.
The most serious of the flaws in IOS, the company’s ubiquitous network operating system, is a bug in the way that the Smart Install application works on some Cisco Catalyst switches. The problem can allow an attacker to run arbitrary code on the switch.
“A vulnerability exists in the Smart Install feature of Cisco Catalyst Switches running Cisco IOS Software that could allow an unauthenticated, remote attacker to perform remote code execution on the affected device. Smart Install uses TCP port 4786 for communication. An established TCP connection with a completed TCP three-way handshake is needed to be able to trigger this vulnerability,” Cisco said in its advisory.
Several of the other vulnerabilities that Cisco patched in IOS are denial-of-service flaws. IN addition to those problems, there also is a serious issue in the Identity Services Engine, which has a default set of credentials for its underlying database.
“The Cisco ISE contains a set of default credentials for its underlying database. A remote attacker could use those credentials to modify the device configuration and settings or gain complete administrative control of the device,” the advisory says.
The full list of Cisco advisories is available on the Cisco security support site.