Cisco has fixed more than two dozen critical and high-severity security vulnerabilities affecting operating systems running on the company’s carrier-grade and industrial routers and switches.
About the vulnerabilities
OSes affected by various combinations of the now-fixed flaws include:
- Cisco IOS – a family of network operating systems used on many Cisco Systems routers and network switches
- IOS XE – installed on a variety of Cisco controllers, switches, edge, branch and virtual routers
- IOS XR – used on Cisco’s high-end Network Converging System (NCS), carrier-grade routers
- NX-OS – installed on Cisco’s Nexus-series hardware-based network switches, fabric extenders, storage switches and fabric interconnects
The four fixed critical vulnerabilities are:
- CVE-2020-3227, a privilege escalation vulnerability – affects Cisco IOS XE Software releases 16.3.1 and later if they are configured with the IOx application hosting infrastructure.
- CVE-2020-3205, a command injection vulnerability and CVE-2020-3198 and CVE-2020-3258, multiple arbitrary code execution flaws – affecting Cisco 809 and 829 Industrial Industrial Integrated Services Routers and Cisco 1000 Series Connected Grid Routers (CGR1000)
The high-severity issues include a wide variety of security flaw, which could allow: command injection, DoS, verification bypass, RCE, arbitrary file creation/read/overwrite, information disclosure, and so on.
Users of Cisco networking equipment should check whether they should upgrade the software and, if that’s the case, do so as soon as they can – though most of the vulnerabilities were discovered during internal testing and none are under active exploitation.