Cisco closes high-impact vulnerabilities in its security offerings
Cisco has fixed 18 high-impact vulnerabilities affecting several of its security offerings and is advising administrators to test and implement the offered security updates as soon as possible.
“Successful exploitation of the vulnerabilities could allow an attacker to gain unauthorized access, gain elevated privileges, execute arbitrary commands, or cause a denial of service (DoS) condition on an affected device,” the company said.
About the vulnerabilities
The vulnerabilities affect Cisco ASA (Adaptive Security Appliance) Software, Cisco FTD (Firepower Threat Defense Software) and Cisco FMC (Firepower Management Center) Software.
While DoS flaws might generally not be that big of a deal, these newly patched ones all affect Cisco’s Adaptive Security Appliance, giving attackers many avenues to temporarily put them out of commission, i.e. opening enterprise networks to threats they protect them against.
The remote code execution and SQL injection flaws affecting the Cisco Firepower Management Center (the nerve center for managing Cisco network security solutions) have been awarded the highest CVSS Base Score.
The RCEs could allow authenticated, remote attackers to execute arbitrary commands on an affected device, and the SQL injection flaws could be used by attackers “to view information that they are not authorized to view, make changes to the system that they are not authorized to make, and execute commands within the underlying operating system that may affect the availability of the device.”
This could be achieved by sending specially crafted SQL queries to an affected device, but the one saving grace is that the attackers must be able to authenticate to the device before doing that.
Exploitation
Another piece of good news is that there is no indication attackers are actively exploiting any of these flaws – they were all discovered during internal security testing.
This latest batch (dated October 2, 2019) of Cisco security updates also brings fixes for less severe flaws reported by outside researchers.
Administrators would do well to get patching immediately, especially because of the imminent October 2019 Patch Tuesday and the substantial patching requirements come with.