Cisco has released security updates to patch critical and high severity vulnerabilities in multiple Cisco products to include small business switches, IOS XR, Webex and others.
Cisco released patches for the following products (along with vulnerabilities fixed):
- Adaptive Security Appliance (ASA): High severity Web-Based Management Interface Privilege Escalation Vulnerability (CVE-2019-1934).
- Enterprise NFV Infrastructure Software: High severity Virtual Network Computing (VNC) Authentication Bypass Vulnerability (CVE-2019-1895).
- IOS XR Software: High severity Intermediate System-to-Intermediate System Denial of Service Vulnerabilities (CVE-2019-1918 and CVE-2019-1910).
- Small Business 220 Series Smart Switches: Critical Authentication Bypass Vulnerability (CVE-2019-1912).
- Small Business 220 Series Smart Switches: Critical Remote Code Execution Vulnerability (CVE-2019-1913).
- Webex Network Recording Player and Webex Player: Arbitrary Code Execution Vulnerabilities (CVE-2019-1924, CVE-2019-1925 and CVE-2019-1926).
It is important to note that the two Small Business 220 smart switch vulnerabilities are each rated critical and sport a CVSS score between 9.1 and 9.8 (10 being the highest).
To add, an unauthenticated, remote attacker could exploit the remote execution bug to overflow a buffer, then execute arbitrary code with root privileges on the underlying operating system.