Cisco released a slew of software patches to fix bugs in its IOS XE operating system but says two small business routers are still vulnerable to attacks. Cisco issued 25 security alerts on Wednesday and Thursday. It rated 19 high severity and six medium.
Cisco didn’t have fixes for a bug in two small business routers: RV320 and RV325. The two router vulnerabilities are rated high and are part of Cisco’s Dual Gigabit WAN VPN RV320 and RV325 line of small business routers.
Router Flaws that still persist are:
1. Router flaws (CVE-2019-1652) is a command injection vulnerability “due to improper validation of user-supplied input,” Cisco wrote. The bug could allow an authenticated, remote attacker with administrative privileges on an affected device to execute arbitrary commands.
2. Router bug (CVE-2019-1653) is an information disclosure vulnerability also impacting Cisco Small Business RV320 and RV325 routers. “A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an unauthenticated, remote attacker to retrieve sensitive information,” Cisco wrote.
IOS XE Bugs:
Of the high severity vulnerabilities, 15 were tied to Cisco’s Internetworking Operating System (IOS) XE, which runs on Cisco networking gear such as its switches, controllers and routers. Bugs ranged from privilege escalation, injection and denial of service vulnerabilities.
One bug (CVE-2019-1745) is a Cisco IOS XE software command injection vulnerability. According to Cisco, the vulnerability could be exploited by a local adversary that could inject arbitrary commands into the OS that are executed with elevated privileges.
“The vulnerability is due to insufficient input validation of commands supplied by the user. An attacker could exploit this vulnerability by authenticating to a device and submitting crafted input to the affected commands. An exploit could allow the attacker to gain root privileges on the affected device,” wrote Cisco.
The two command injection patches (CVE-2019-1756, CVE-2019-1755) allow a remote authenticated attacker to execute commands on devices running the vulnerable Cisco IOS XE software.
“The vulnerability occurs because the affected software improperly sanitizes user-supplied input. An attacker who has valid administrator access to an affected device could exploit this vulnerability by supplying a username with a malicious payload in the web UI and subsequently making a request to a specific endpoint in the web UI,” Cisco said of CVE-2019-1756.
Four Critical Non-Cisco Bugs Also Reported
As part of its flurry of patch announcements, Cisco also posted information regarding four vulnerabilities rated critical for non-Cisco products. The critical bugs include:
Moodle mybackpack functionality server-side request forgery vulnerability (CVE-2019-3809) that could allow an unauthenticated, remote attacker to conduct a server-side request forgery attack on a targeted system.
A second critical vulnerability was found in Elastic Kibana Security Audit Logger that could lead to arbitrary code execution (CVE-2019-7610).
Cisco also reported a Python urllib security bypass vulnerability (CVE-2019-9948) and an Elastic Kibana Timelion Visualizer arbitrary code execution vulnerability (CVE-2019-7609).