Cisco Releases Alerts for 14 High Severity Bugs

Hits: 10

Cisco on Tuesday released security alerts for 25 vulnerabilities affecting some of its products; almost two-thirds of them have a high severity score.

Most of the security problems announced by the networking hardware maker are denial-of-service (DoS) bugs affecting components in its IOS and IOS XE Software products.

Only two advisories refer to other products: Catalyst 6800 Series Switches ROM Monitor and Webex Meetings Client.

Other vulnerabilities included in the alert notes could be exploited to lead to memory leaks, command injection, privilege escalation, authentication bypass, arbitrary code execution, and root shell access.

The severity level for some of the vulnerabilities is high because they can be exploited remotely by an attacker, without having to authenticate.

One of the simplest DoS vulnerabilities a remote attacker could exploit is in devices with the IOS XE Software web interface. They could cause the equipment to reload by simply sending a specially crafted HTTP request to its web UI.

The report shows that many of these problems are due to incorrect input validation or processing of packets.

Alert NameImpactCVE
Cisco IOS and IOS XE Software OSPFv3 Denial of Service VulnerabilityHighCVE-2018-0466 
Cisco IOS XE Software and Cisco ASA 5500-X Series Adaptive Security Appliance IPsec Denial of Service VulnerabilityHighCVE-2018-0472 
Cisco IOS XE Software Web UI Denial of Service VulnerabilityHighCVE-2018-0469 
Cisco IOS XE Software HTTP Denial of Service VulnerabilityHighCVE-2018-0470 
Cisco IOS and IOS XE Software SM-1T3/E3 Service Module Denial of Service VulnerabilityHighCVE-2018-0485
Cisco IOS XE Software NAT Session Initiation Protocol Application Layer Gateway Denial of Service VulnerabilityHighCVE-2018-0476 
Cisco IOS Software Precision Time Protocol Denial of Service VulnerabilityHighCVE-2018-0473 
Cisco IOS and IOS XE Software IPv6 Hop-by-Hop Options Denial of Service VulnerabilityHighCVE-2018-0467
Cisco IOS XE Software Command Injection VulnerabilitiesHighCVE-2018-0477
Cisco IOS XE Software Errdisable Denial of Service VulnerabilityHighCVE-2018-0480
Cisco IOS and IOS XE Software Cluster Management Protocol Denial of Service VulnerabilityHighCVE-2018-0475
Cisco IOS XE Software Cisco Discovery Protocol Memory Leak VulnerabilityHighCVE-2018-0471 
Cisco Webex Meetings Client for Windows Privilege Escalation VulnerabilityHighCVE-2018-0422

The DoS vulnerability month

On Monday, Cisco published a list comprising over 80 products that are affected by the recently disclosed FragmentSmack DoS bug.

For some of the products, the company plans to make available patches in September and October but removing the FragmentSmack threat is an operation that stretches at least until February 2019.