Cisco has plugged a heap of security holes – three of which are critical – in a variety of its products.
The critical flaws
The flaws deemed critical are:
- A DoS and RCE vulnerability (CVE-2018-0423) in the web-based management interface of three series of Cisco wireless VPN routers: RV110W, RV130W, and RV215W. Unfortunately, it has only been fixed in the RV130W series.
- An Apache Struts RCE vulnerability (CVE-2018-11776) that affects twenty different Cisco products. This is the vulnerability for which a PoC was recently found online and is being actively exploited in the wild. For the time being, only one patch for one product (Cisco Identity Services Engine) has been released, and the company has published a schedule for some of the other releases.
- A vulnerability in the Cisco Umbrella API (CVE-2018-0435) could allow an authenticated, remote attacker to view and modify data across their organization and other organizations. Cisco has addressed the issue and no user action is required.
Cisco has also patched a range of vulnerabilities affecting the Webex Meetings Client, the Cisco Webex Teams, two high-impact flaws in the Cisco Umbrella Enterprise Roaming Client (reported and detailed by Critical Start’s Section 8 cybersecurity team), other high-impact vulnerabilities in the three router series mentioned above, the SD-WAN solution certifications platform, and more.
These range from privilege escalation and certificate validation to DoS, command injection, and XSS flaws.
Administrators are advised to review the advisories concerning the products they use and to implement the provided updates and/or mitigations.