Cisco this week launched patches for a number of high-severity vulnerabilities affecting its Net Safety Equipment (WSA), Intersight Digital Equipment, Small Enterprise 220 switches, and different merchandise.
Profitable exploitation of those vulnerabilities might enable attackers to trigger a denial of service (DoS) situation, execute arbitrary instructions as root, or elevate privileges.
Two high-severity points (CVE-2021-34779, CVE-2021-34780) had been discovered within the Hyperlink Layer Discovery Protocol (LLDP) implementation for Small Enterprise 220 sequence good switches, resulting in the execution of arbitrary code and a denial of service situation.
The software program replace launched for the enterprise swap sequence additionally resolves 4 medium-severity safety flaws that would end in LLDP reminiscence corruption on an affected machine.
One other extreme vulnerability is an inadequate enter validation within the Intersight Digital Equipment. Tracked as CVE-2021-34748, the safety gap might result in the execution of arbitrary instructions with root privileges.
This week Cisco additionally resolved two high-severity vulnerabilities within the ATA 190 sequence and ATA 190 sequence multiplatform (MPP) software program. Tracked as CVE-2021-34710 and CVE-2021-34735, the issues may very well be exploited for distant code execution and to trigger a denial of service (DoS) situation, respectively.
One among these vulnerabilities was reported to Cisco by firmware safety firm IoT Inspector, which described its findings in an advisory revealed on Thursday.
Cisco additionally addressed an improper reminiscence administration flaw in AsyncOS for Net Safety Equipment (WSA) that would result in DoS, in addition to a race situation within the AnyConnect Safe Mobility Shopper for Linux and macOS that may very well be abused to execute arbitrary code with root privileges.
One other high-severity flaw addressed this week is CVE-2021-1594, an inadequate enter validation within the REST API of Cisco Id Providers Engine (ISE). An attacker in a man-in-the-middle place in a position to decrypt HTTPS site visitors between two ISE personas on separate nodes might exploit the flaw to execute arbitrary instructions with root privileges.
Cisco additionally launched patches for a number of medium-severity flaws affecting TelePresence CE and RoomOS, Good Software program Supervisor On-Prem, 220 sequence enterprise switches, Id Providers Engine, IP Cellphone software program, Electronic mail Safety Equipment (ESA), DNA Heart, and Orbital.
Cisco has launched patches for these vulnerabilities and says it isn’t conscious of exploits for them being publicly disclosed. Further particulars on the resolved points could be discovered on Cisco’s security portal.