Cisco is issuing 17 new fixes for security problems with IOS and IOS/XE software that runs most of its routers and switches, while it has no patch yet to replace flawed patches to RV320 and RV 325 routers. Credit: Marisa9 / Getty Cisco has dropped 17 Security advisories describing 19 vulnerabilities in the software that runs most of its routers and switches, IOS and IOS/XE. The company also announced that two previously issued patches for its RV320 and RV325 Dual Gigabit WAN VPN Routers were “incomplete” and would need to be redone and reissued. Cisco rates both those router vulnerabilities as “High” and describes the problems like this: One vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by sending malicious HTTP POST requests to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux shell as root. The second exposure is due to improper access controls for URLs. An attacker could exploit this vulnerability by connecting to an affected device via HTTP or HTTPS and requesting specific URLs. A successful exploit could allow the attacker to download the router configuration or detailed diagnostic information. Cisco said firmware updates that address these vulnerabilities are not available and no workarounds exist, but is working on a complete fix for both. On the IOS front, the company said six of the vulnerabilities affect both Cisco IOS Software and Cisco IOS XE Software, one of the vulnerabilities affects just Cisco IOS software and ten of the vulnerabilities affect just Cisco IOS XE software. Some of the security bugs, which are all rated as “High”, include: A vulnerability in the web UI of Cisco IOS XE Software could let an unauthenticated, remote attacker access sensitive configuration information. A vulnerability in Cisco IOS XE Software could let an authenticated, local attacker inject arbitrary commands that are executed with elevated privileges. The vulnerability is due to insufficient input validation of commands supplied by the user. An attacker could exploit this vulnerability by authenticating to a device and submitting crafted input to the affected commands. A weakness in the ingress traffic validation of Cisco IOS XE Software for Cisco Aggregation Services Router (ASR) 900 Route Switch Processor 3 could let an unauthenticated, adjacent attacker trigger a reload of an affected device, resulting in a denial of service (DoS) condition, Cisco said. The vulnerability exists because the software insufficiently validates ingress traffic on the ASIC used on the RSP3 platform. An attacker could exploit this vulnerability by sending a malformed OSPF version 2 message to an affected device. A problem in the authorization subsystem of Cisco IOS XE Software could allow an authenticated but unprivileged (level 1), remote attacker to run privileged Cisco IOS commands by using the web UI. The vulnerability is due to improper validation of user privileges of web UI users. An attacker could exploit this vulnerability by submitting a malicious payload to a specific endpoint in the web UI, Cisco said. A vulnerability in the Cluster Management Protocol (CMP) processing code in Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to trigger a DoS condition on an affected device. The vulnerability is due to insufficient input validation when processing CMP management packets, Cisco said. Cisco has released free software updates that address the vulnerabilities described in these advisories and directs users to their software agreements to find out how they can download the fixes. Related content news European trade body lashes out at Broadcom’s VMware licensing changes CISPE said the economic viability of many cloud services utilized by customers in Europe is threatened by “the massive and unjustifiable hikes in prices, the re-bundling of products, the altered basis of billing.” By Prasanth Aby Thomas Apr 23, 2024 5 mins Technology Industry Cloud Computing news Network jobs watch: Hiring, skills and certification trends What IT leaders need to know about expanding responsibilities, new titles and hot skills for network professionals and I&O teams. By Denise Dubie Apr 22, 2024 5 mins Careers Data Center Networking opinion Altnets and neutral hosts: Are options widening for enterprise network services? Independent broadband and telecom-infrastructure providers could provide connectivity options in areas where service is thin, if enterprise concerns about business viability and technology operations are addressed. By Tom Nolle Apr 22, 2024 7 mins Managed Service Providers Network Virtualization Networking news CSP Vultr launches sovereign cloud services New sovereign and private cloud services will help governments and enterprises keep data within national borders and comply with local regulations. By Andy Patrizio Apr 22, 2024 3 mins Cloud Computing Data Center PODCASTS VIDEOS RESOURCES EVENTS NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe