Cisco released security patches for 30 vulnerabilities, including a critical flaw in ASR 9000 Series Aggregation Services Routers running IOS XR 64-bit.
The critical vulnerability in ASR 9000 Series Aggregation Services Routers running IOS XR 64-bit is tracked as CVE-2019-1710 (CVSS score of 9.8). The flaw could be exploited by an unauthenticated, remote attacker to access internal applications running on the sysadmin virtual machine (VM).
The bug is due to the incorrect isolation of the secondary management interface from internal sysadmin applications.
“An attacker could exploit this vulnerability by connecting to one of the listening internal applications. A successful exploit could result in unstable conditions, including both a denial of service and remote unauthenticated access to the device.” reads the security advisory published by Cisco.
There are workarounds that address this issue, but Cisco recommends to install the software updates it has released to address the flaw. The tech giant has fixed the flaw in Cisco IOS XR 64-bit Software Release 6.5.3 and 7.0.1, which will edit the calvados_boostrap.cfg file and reload the device.
Cisco will not publish a software maintenance upgrade (SMU) for this vulnerability due to the effectiveness of the workaround.
The Cisco Product Security Incident Response Team (PSIRT) confirmed that is not aware of any attacks in the wild exploiting the issue.
Cisco also addressed 6 high-severity bugs in Inter-Access Point Protocol (IAPP) messages by Wireless LAN Controller (WLC) software, and in the administrative GUI configuration and the web-based management interface of WLC software, as well as in the phone book feature of Expressway Series and TelePresence Video Communication Server (VCS), and the development shell authentication for Aironet Series Access Points running the AP-COS operating system.
The complete list of the addressed vulnerabilities is available found on Cisco security center portal.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.