Cisco plugs critical hole in Prime Home management platform

HITBSecConf2019 - The 10the annual HITB Security Conference in The Netherlands - Trainings, Conference track and Haxpo exhibition. Register now.

Cisco has released nine security alerts on Wednesday, and among these are two for critical vulnerabilities in its ASR 900 Series routers and the Cisco Prime Home management platform (for provisioning and managing in-home devices).

Cisco Prime Home

The vulnerability in the routers could allow an unauthenticated, remote attacker to reload or remotely execute code on the affected device, while the flaw in the web-based GU of Cisco Prime Home could be exploited by an unauthenticated, remote attacker to bypass authentication and acquire full administrator privileges.

Cisco has provided security updates that plug both holes, although the second one does not affect versions 6.0 and later of the platform, so users can simply upgrade to one of those versions. None of these bugs is beng exploited by attackers in the wild.

The company has also patched two serious vulnerabilities in Cisco Meeting Server and the Meeting App which could lead to arbitrary code execution on the vulnerable systems.

Finally, one of the advisories addresses a Linux kernel vulnerability recently disclosed by the Linux Foundation. The bug is of medium severity: it could allow an attacker to elevate his privileges on the vulnerable systems, but not remotely.

Cisco has yet to come up with patches for this one, as it is still investigating which of its many products may be affected.

For now, updates scheduled for November, December and early 2017 show that many products in various categories (network management and provisioning; routing and switching; video, streaming, telepresence, and transcoding devices; and so on) are vulnerable, and will be receiving a patch.