Cisco released new security updates on Friday, two rated high severity and two medium severity, to address ASA, NX-OS and CPU side-channel vulnerablities that impact multiple products.
One of the high rated patches addresses a vulnerability (CVE-2018-0296) in the web interface of the Cisco Adaptive Security Appliance (ASA) that could allow an unauthenticated, remote attacker to cause an affected device to reload unexpectedly and result in a denial of service (DoS) condition.
The other high severity update fixes a vulnerability (CVE-2018-0292) in the Internet Group Management Protocol (IGMP) Snooping feature of Cisco NX-OS Software. If unpatched, an unauthenticated attacker could execute arbitrary code and gain full control of an affected system.
Cisco also released two medium rated security updates for five (5) CPU Side-Channel Information Disclosure Vulnerabilities. The first side channel vulnerability (CVE-2018-3639) is also known as Spectre Variant 4 or SpectreNG. The second vulnerability (CVE-2018-3640) is known as Spectre Variant 3a.
Both of these side channel attacks are variants of the attacks first disclosed in January 2018 and leverage cache-timing attacks to potentially steal sensitive data.
The last three vulnerabilities adress Spectre (CVE-2017-5753 and CVE-2017-5715) and Meltdown (CVE-2017-5754).
These latest Spectre/Meltdown updates included an updated vulnerable products table, new products under investigation and newly confirmed products not vulnerable to the flaws.