Cisco has released security updates for multiple products to include IOS, Email Security Appliance, Data Center Network Manager and other products. One of the updates also addresses a critical vulnerability in Cisco’s Smart Software Manager On-Prem.
The one Critical patch fixes a static default credential vulnerability CVE-2020-3158 in the high availability (HA) service in the Smart Software Manager On-Prem.
“The vulnerability is due to a system account that has a default and static password and is not under the control of the system administrator,” Cisco stated.
An unauthenticated attacker could exploit this vulnerability by using the default account to gain read/write access to sensitive configuration data.
ESA high risk vulnerabilities
Cisco also patched two High severity vulnerabilities in the email message filtering feature of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA).
The first ESA bug CVE-2019-1983 is due to insufficient input validation of email attachments. An attacker could then exploit and cause specific processes to crash repeatedly and denial of service (DoS) condition.
The second ESA bug CVE-2019-1947 is caused by the improper handling of email messages that contain large attachments. A bad actor could exploit this issue and cause a DoS condition, which could even force manual intervention to recover.
Other High risk patches
The other high severity patches include:
- CVE-2019-16027: Cisco IOS XR Software Intermediate System-to-Intermediate System Denial of Service Vulnerability
- CVE-2019-1888: Cisco Unified Contact Center Express Privilege Escalation Vulnerability
- CVE-2019-1736: Multiple Cisco UCS-Based Products UEFI Secure Boot Bypass Vulnerability
- CVE-2020-3112: Cisco Data Center Network Manager Privilege Escalation Vulnerability
- CVE-2020-3114: Cisco Data Center Network Manager Cross-Site Request Forgery Vulnerability.
Finally, Cisco added nine (9) other Medium severity patches for Cloud Web Security, Identity Services Engine and other products.
Cisco released the latest advisories on February 19. So patches should be applied to affected devices as soon as possible.