Cisco plugs bucketful of security holes in industrial routers, switches

Cisco has fixed more than two dozen critical and high-severity security vulnerabilities affecting operating systems running on the company’s carrier-grade and industrial routers and switches.

Cisco plugs security holes

About the vulnerabilities

OSes affected by various combinations of the now-fixed flaws include:

  • Cisco IOS – a family of network operating systems used on many Cisco Systems routers and network switches
  • IOS XE – installed on a variety of Cisco controllers, switches, edge, branch and virtual routers
  • IOS XR – used on Cisco’s high-end Network Converging System (NCS), carrier-grade routers
  • NX-OS – installed on Cisco’s Nexus-series hardware-based network switches, fabric extenders, storage switches and fabric interconnects

The four fixed critical vulnerabilities are:

  • CVE-2020-3227, a privilege escalation vulnerability – affects Cisco IOS XE Software releases 16.3.1 and later if they are configured with the IOx application hosting infrastructure.
  • CVE-2020-3205, a command injection vulnerability and CVE-2020-3198 and CVE-2020-3258, multiple arbitrary code execution flaws – affecting Cisco 809 and 829 Industrial Industrial Integrated Services Routers and Cisco 1000 Series Connected Grid Routers (CGR1000)

The high-severity issues include a wide variety of security flaw, which could allow: command injection, DoS, verification bypass, RCE, arbitrary file creation/read/overwrite, information disclosure, and so on.

Users of Cisco networking equipment should check whether they should upgrade the software and, if that’s the case, do so as soon as they can – though most of the vulnerabilities were discovered during internal testing and none are under active exploitation.

Share this
You are reading

Cisco plugs bucketful of security holes in industrial routers, switches