Cisco is urging customers to update small business switches, its DNA Center software, routers with its StarOS software, and its AnyConnect Secure Mobility VPN client for Windows.
Cisco has disclosed a bug in the IPv6 packet processing engine of several Cisco Small Business Smart and Managed Switches that could allow a remote attacker without credentials to trigger a denial of service on affected devices.
Affected switches include 250 Series Smart Switches, 350 Series Managed Switches, 350X Series Stackable Managed Switches, 550X Series Stackable Managed Switches, Small Business 200 Series Smart Switches, Small Business 300 Series Managed Switches, and Small Business 500 Series Stackable Managed Switches.
While the bug leaves all named switches vulnerable to being rebooted and knocked offline, only four of them have software updates available because some are beyond the end-of-software-maintenance milestone.
The switches with an update available include 250 Series Smart Switches, 350 Series Managed Switches, 350X Series Stackable Managed Switches, and 550X Series Stackable Managed Switches.
Cisco says it’s not aware of any malicious use of the vulnerability and found it during internal testing. It’s given the bug, tracked as CVE-2020-3363, a severity score of 8.6 out of 10. It also notes that the issue only affects IPV6 traffic, not IPv4 traffic.
Certain versions of Cisco’s DNA Center network automation software are also vulnerable to a high-severity flaw that could let a remote attacker access sensitive information, including configuration files. It has a severity rating of 7.5.
The software doesn’t handle authentication tokens properly, according to Cisco. This allows an attacker to send a crafted HTTPS request to an affected device. The bug, tracked as CVE-2020-3411, affects all 1.3.x versions of DNA Center software releases prior to 184.108.40.206.
This bug was also found in internal testing and Cisco is not aware of its use in malicious attacks.
There’s a slightly more serious flaw in the IPv6 implementation of Cisco StarOS. It’s being tracked as CVE-2020-3324 and could allow a remote attacker without credentials to cause a denial of service on affected routers. It has a severity rating of 8.6.
Affected devices include Cisco’s ASR 5000 Series Aggregation Services Routers and its Virtualized Packet Core-Single Instance (VPC-SI).
The routers could be attacked if they are running a vulnerable release of Cisco StarOS and have the Vector Packet Processing (VPP) feature enabled. However, VPP is disabled by default. Cisco has details about which releases of StarOS have been fixed in the advisory.
Finally, AnyConnect VPN mobility client for Windows has a flaw that can let an authenticated, local attacker perform a dynamic link library (DLL) hijacking attack. If attackers gained valid credentials on the Windows system, they could run malicious code with system-level privileges.
“An attacker could exploit this vulnerability by sending a crafted IPC message to the AnyConnect process,” Cisco explains in the advisory.
“A successful exploit could allow the attacker to execute arbitrary code on the affected machine with System privileges. To exploit this vulnerability, the attacker would need to have valid credentials on the Windows system.”
Users running Cisco AnyConnect Secure Mobility Client for Windows releases 4.9.00086 and later are not vulnerable.
This bug doesn’t affect the AnyConnect client for macOS, Linux, or the client for iOS, Android, and the Universal Windows Platform. Cisco has given CVE-2020-3433 a severity score of 7.8.
Cisco lists a further 15 medium-severity flaws on the company’s security advisories page.
More on Cisco and network security