The critical vulnerability in ASR 9000 Series Aggregation Services Routers running IOS XR 64-bit is tracked as CVE-2019-1710 (CVSS score of 9.8). The flaw could be exploited by an
The bug is due to the incorrect isolation of the secondary management interface from internal sysadmin applications.
“An attacker could exploit this vulnerability by connecting to one of the listening internal applications. A successful exploit could result in unstable conditions, including both a denial of service and remote unauthenticated access to the device.” reads the security advisory published by Cisco.
There are workarounds that address this issue, but Cisco recommends to install the software updates it has released to address the flaw. The tech giant has fixed the flaw in Cisco IOS XR 64-bit Software Release 6.5.3 and 7.0.1, which will edit the calvados_boostrap.cfg file and reload the device.
Cisco will not publish a software maintenance upgrade (SMU) for this vulnerability due to the effectiveness of the workaround.
The Cisco Product Security Incident Response Team (PSIRT) confirmed that is not aware of any attacks in the wild exploiting the issue.
Cisco also addressed 6 high-severity bugs in Inter-Access Point Protocol (IAPP) messages by Wireless LAN Controller (WLC) software, and in the administrative GUI configuration and the web-based management interface of WLC software, as well as in the phone book feature of Expressway Series and TelePresence Video Communication Server (VCS), and the development shell authentication for Aironet Series Access Points running the AP-COS operating system.
(SecurityAffairs – hacking, CISCO ASR 9000)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.