Cisco patches critical flaws in VPN routers and firewalls

Cisco has fixed 33 CVE-numbered flaws in a variety of its devices, including five critical ones affecting RV-series VPN routers and firewalls and Cisco Prime License Manager, which is used by enterprises to manage user-based licensing.

About the vulnerabilities

With the recent onslaught of critical vulnerabilities affecting networking and security devices, it’s been a tough month for enterprise admins.

The pressure continues with this latest batch of Cisco security updates – the only good news is that none of the patched security holes is being exploited in the wild.

Cisco Small Business RV110W Wireless-N VPN Firewalls with firmware releases prior to v1.2.2.8 can be taken over by attackers via a system account has a default and static password (CVE-2020-3330).

Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers are plagued by a vulnerable web-based management interface that could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device (CVE-2020-3323). The same interface on those same devices also sports an authentication bypass flaw that could be triggered via a crafted HTTP request sent to the affected device and could allow the attacker to gain administrative access on the affected device (CVE-2020-3144).

The RV110W Wireless-N VPN Firewalls and RV215W Wireless-N VPN Routers also have a hole that could be exploited by sending crafted requests to a targeted device and could allow the attacker to execute arbitrary code with the privileges of the root user (CVE-2020-3331).

Finally, the flaw affecting Cisco Prime License Manager is “just” a privilege escalation vulnerability, but it’s still deemed to be critical (CVE-2020-3140). Admins in charge of keeping Cisco Unified Communications Manager (Unified CM) Software, Cisco Unified CM Session Management Edition (SME) Software, and Cisco Unity Connection Software up-to-date should also see whether they need to implement this update, since Cisco PLM can be installed as part of that software.

Other, less critical vulnerabilities that have been fixed are found in a variety of Cisco SD-WAN solutions, Cisco WebEx, Cisco Vision Dynamic Signage Director, Cisco Data Center Network Manager, Cisco Meetings App, and Cisco Content Security Management Appliance.

All the relevant security advisories can be found here.