This bug doesn't affect the An圜onnect client for macOS, Linux, or the client for iOS, Android, and the Universal Windows Platform. Users running Cisco An圜onnect Secure Mobility Client for Windows releases 6 and later are not vulnerable. SEE: Patch now: Cisco warns of nasty bug in its data center software To exploit this vulnerability, the attacker would need to have valid credentials on the Windows system." "A successful exploit could allow the attacker to execute arbitrary code on the affected machine with System privileges. "An attacker could exploit this vulnerability by sending a crafted IPC message to the An圜onnect process," Cisco explains in the advisory. If attackers gained valid credentials on the Windows system, they could run malicious code with system-level privileges. Cisco has details about which releases of StarOS have been fixed in the advisory.įinally, An圜onnect VPN mobility client for Windows has a flaw that can let an authenticated, local attacker perform a dynamic link library (DLL) hijacking attack. The routers could be attacked if they are running a vulnerable release of Cisco StarOS and have the Vector Packet Processing (VPP) feature enabled. It has a severity rating of 8.6.Īffected devices include Cisco's ASR 5000 Series Aggregation Services Routers and its Virtualized Packet Core-Single Instance (VPC-SI). It's being tracked as CVE-2020-3324 and could allow a remote attacker without credentials to cause a denial of service on affected routers. There's a slightly more serious flaw in the IPv6 implementation of Cisco StarOS. This bug was also found in internal testing and Cisco is not aware of its use in malicious attacks. The bug, tracked as CVE-2020-3411, affects all 1.3.x versions of DNA Center software releases prior to 1.3.1.4. This allows an attacker to send a crafted HTTPS request to an affected device. The software doesn't handle authentication tokens properly, according to Cisco. It also notes that the issue only affects IPV6 traffic, not IPv4 traffic.Ĭertain versions of Cisco's DNA Center network automation software are also vulnerable to a high-severity flaw that could let a remote attacker access sensitive information, including configuration files. It's given the bug, tracked as CVE-2020-3363, a severity score of 8.6 out of 10. The switches with an update available include 250 Series Smart Switches, 350 Series Managed Switches, 350X Series Stackable Managed Switches, and 550X Series Stackable Managed Switches.Ĭisco says it's not aware of any malicious use of the vulnerability and found it during internal testing. While the bug leaves all named switches vulnerable to being rebooted and knocked offline, only four of them have software updates available because some are beyond the end-of-software-maintenance milestone. SEE: Research: Why Industrial IoT deployments are on the rise (TechRepublic Premium)
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |