Cisco has released another batch of security updates and patches for a variety of its offerings, including many of its security solutions.
Security fixes for security solutions
Among the security holes plugged is CVE-2019-16028, a critical authentication bypass vulnerability affecting the Cisco Firepower Management Center – a device that provides visibility into an organization’s network and allows admis to centrally manage critical Cisco network security solutions.
“The vulnerability is due to improper handling of Lightweight Directory Access Protocol (LDAP) authentication responses from an external authentication server. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to gain administrative access to the web-based management interface of the affected device,” Cisco explained.
Unlike many of the flaw patched in this batch, this vulnerability was discovered and flagged by outside security researchers. The good news is that there is no indication it is being exploited in attacks in the wild. Admins are advised to upgrade to a fixed release or to apply a hotfix.
“Customers who cannot immediately apply a software fix may evaluate the possibility of disabling LDAP authentication for FMC access and using other authentication methods until a software fix can be applied,” Cisco noted.
Cisco Email Security, Web Security and Content Security Management Appliances also sport a few flaws, all medium-risk and most found during internal security testing.
Among these is CVE-2020-3133, a vulnerability that could allow an unauthenticated, remote attacker to bypass configured filters on a Cisco Email Security Appliance.
Cisco ESAs should be upgraded to v13.0 and later, Cisco WSAs to v11.8.0-382 and later, and Cisco SMAs to v13.0.0.-187 and later.
High-risk vulnerabilities fixed in this bundle include several denial of service bugs affecting Cisco Smart Software Manager On-Prem and the Cisco IOS XR Software (the OS used on Cisco’s carrier-grade routers).
Finally, devices running Cisco IOS XE SD-WAN Software – software that provides them with SD-WAN capabilities – should be updated to release 16.12.1 to remove a set of default credentials within the default configuration.
“An attacker who has access to an affected device could log in with elevated privileges. A successful exploit could allow the attacker to take complete control of the device,” Cisco noted.
Security advisories for all of the fixed flaws can be found here.