Cisco Systems issued 24 patches Wednesday tied to vulnerabilities in its IOS XE operating system and warned customers that two small business routers (RV320 and RV325) are vulnerable to attack and that no patches are available for either. A total of 19 of the bugs were rated high severity by Cisco, with the others rated medium.
The two router vulnerabilities are rated high and are part of Cisco’s Dual Gigabit WAN VPN RV320 and RV325 line of small business routers. Both router flaws were first patched in January, however Cisco said on Wednesday that both patches were “incomplete” and that both routers were still vulnerable to attack. It added in both cases that, “firmware updates that address [these vulnerabilities] are not currently available.” It added there are no workarounds that address either vulnerability.
One of the router flaws (CVE-2019-1652) is a command injection vulnerability “due to improper validation of user-supplied input,” Cisco wrote. The bug could allow an authenticated, remote attacker with administrative privileges on an affected device to execute arbitrary commands.
The second router bug (CVE-2019-1653) is an information disclosure vulnerability also impacting Cisco Small Business RV320 and RV325 routers. “A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an unauthenticated, remote attacker to retrieve sensitive information,” Cisco wrote.
IOS XE Bugs
Of the high severity vulnerabilities 15 were tied to Cisco’s Internetworking Operating System (IOS) XE, which runs on Cisco networking gear such as its switches, controllers and routers. Bugs ranged from privilege escalation, injection and denial of service vulnerabilities.
One bug (CVE-2019-1745) is a Cisco IOS XE software command injection vulnerability. According to Cisco, the vulnerability could be exploited by a local adversary that could inject arbitrary commands into the OS that are executed with elevated privileges.
“The vulnerability is due to insufficient input validation of commands supplied by the user. An attacker could exploit this vulnerability by authenticating to a device and submitting crafted input to the affected commands. An exploit could allow the attacker to gain root privileges on the affected device,” wrote Cisco.
The two command injection patches (CVE-2019-1756, CVE-2019-1755) allow a remote authenticated attacker to execute commands on devices running the vulnerable Cisco IOS XE software.
“The vulnerability occurs because the affected software improperly sanitizes user-supplied input. An attacker who has valid administrator access to an affected device could exploit this vulnerability by supplying a username with a malicious payload in the web UI and subsequently making a request to a specific endpoint in the web UI,” Cisco said of CVE-2019-1756.
Four Critical Non-Cisco Bugs Also Reported
As part of its flurry of patch announcements, Cisco also posted information regarding four vulnerabilities rated critical for non-Cisco products. The critical bugs include:
Moodle mybackpack functionality server side request forgery vulnerability (CVE-2019-3809) that could allow an unauthenticated, remote attacker to conduct a server side request forgery attack on a targeted system.
A second critical vulnerability was found in Elastic Kibana Security Audit Logger that could lead to an arbitrary code execution (CVE-2019-7610).
Cisco also reported a Python urllib security bypass vulnerability (CVE-2019-9948) and a Elastic Kibana Timelion Visualizer arbitrary code execution vulnerability (CVE-2019-7609).
(This article was updated at 11pm EDT 3/27 to reflect more accurately a lack of patches available for the Cisco RV320 and RV325 routers)