Cisco plugs bucketful of security holes in industrial routers, switches

Cisco has fixed more than two dozen critical and high-severity security vulnerabilities affecting operating systems running on the company’s carrier-grade and industrial routers and switches.

Cisco plugs security holes

About the vulnerabilities

OSes affected by various combinations of the now-fixed flaws include:

  • Cisco IOS – a family of network operating systems used on many Cisco Systems routers and network switches
  • IOS XE – installed on a variety of Cisco controllers, switches, edge, branch and virtual routers
  • IOS XR – used on Cisco’s high-end Network Converging System (NCS), carrier-grade routers
  • NX-OS – installed on Cisco’s Nexus-series hardware-based network switches, fabric extenders, storage switches and fabric interconnects

The four fixed critical vulnerabilities are:

  • CVE-2020-3227, a privilege escalation vulnerability – affects Cisco IOS XE Software releases 16.3.1 and later if they are configured with the IOx application hosting infrastructure.
  • CVE-2020-3205, a command injection vulnerability and CVE-2020-3198 and CVE-2020-3258, multiple arbitrary code execution flaws – affecting Cisco 809 and 829 Industrial Industrial Integrated Services Routers and Cisco 1000 Series Connected Grid Routers (CGR1000)

The high-severity issues include a wide variety of security flaw, which could allow: command injection, DoS, verification bypass, RCE, arbitrary file creation/read/overwrite, information disclosure, and so on.

Users of Cisco networking equipment should check whether they should upgrade the software and, if that’s the case, do so as soon as they can – though most of the vulnerabilities were discovered during internal testing and none are under active exploitation.




Share this