Cisco fixes High risk vulnerabilities in multiple products

By / / Network Security, Security Updates & Patches, Vulnerabilities & Exploits / Cisco, Webex
Cisco fixes High risk vulnerabilities in multiple products

Cisco has released security updates to patch high risk vulnerabilities in multiple products to include Cisco Webex Teams and Industrial Network Director (IND). Five other medium vulnerabilities were also fixed.

On Wednesday, Cisco released seven different security updates for the following vulnerabilities (along with products impacted):

  1. Webex Teams Logging Feature Command Execution High Vulnerability (CVE-2019-1939): Cisco Webex Teams client for Windows.
  2. Industrial Network Director Configuration Data Information Disclosure High Vulnerability (CVE-2019-1976): Cisco Industrial Network Director (IND).
  3. Content Security Management Appliance Information Disclosure Medium Vulnerability (CVE-2019-12635): Cisco Content Security Management Appliance (SMA) Software.
  4. Finesse Request Processing Server-Side Request Forgery Medium Vulnerability (CVE-2019-12632): Cisco Finesse.
  5. Identity Services Engine Cross-Site Scripting Medium Vulnerability (CVE-2019-12644): Cisco Identity Services Engine (ISE) Software.
  6. Jabber Client Framework for Mac Code Execution Medium Vulnerability (CVE-2019-12645): Cisco Jabber Client Framework (JCF) for Mac Software.
  7. Unified Contact Center Express Request Processing Server-Side Request Forgery Medium Vulnerability (CVE-2019-12633): Cisco Unified Contact Center Express (Unified CCX).

Of special note, the high risk Cisco Webex Teams Windows client vulnerability CVE-2019-1939 could allow an unauthenticated, remote attacker to execute arbitrary commands on impacted systems. The CVSS base score is 7.5.

“A successful exploit could allow the attacker to cause the application to modify files and execute arbitrary commands on the system with the privileges of the targeted user,” Cisco warned.

In case you missed it on Tuesday, Cisco also released a High severity advisory for Cisco Secure Boot Hardware Tampering Vulnerability (CVE-2019-1649). A local attacker could exploit this issue to write a modified firmware image to the component. Cisco confirms this issue affects multiple Cisco products that support hardware-based Secure Boot functionality.

Administrators should apply the necessary updates as soon as possible.