Cisco has released security patches for Cisco IP Phones Web Application, UCS Director and other products. Five of the vulnerabilities are rated Critical severity and another seven are rated High severity.
A bad actor could exploit these vulnerabilities to take control of impacted network devices.
Here’s a break down of the patches broken out by Critical and High severity.
Critical severity updates
Cisco patched the following Critical risk vulnerabilities (along with CVEs):
- Cisco IP Phones Web Server Remote Code Execution and Denial of Service Vulnerability (CVE-2020-3161)
- Multiple Vulnerabilities in Cisco UCS Director and Cisco UCS Director Express for Big Data (CVE-2020-3239, CVE-2020-3240, CVE-2020-3243)
- Cisco IP Phones Web Application Buffer Overflow Vulnerability (CVE-2016-1421).
Network admins should take special note of the multiple vulnerabilities that impact Cisco UCS Director.
“Multiple vulnerabilities in the REST API of Cisco UCS Director and Cisco UCS Director Express for Big Data may allow a remote attacker to bypass authentication or conduct directory traversal attacks on an affected device,” Cisco warned in the advisory.
In addition, an unauthenticated, remote attacker could exploit vulnerabilities in the web application and web server for Cisco IP Phones. Cisco further warned that an attacker could then “execute code with root privileges or cause a reload of an affected IP phone, resulting in a denial of service (DoS) condition.”
High severity updates
Cisco also patched the following vulnerabilities rated High severity (along with CVEs):
- Cisco Wireless LAN Controller 802.11 Generic Advertisement Service Denial of Service Vulnerability (CVE-2020-3273)
- Cisco Wireless LAN Controller CAPWAP Denial of Service Vulnerability (CVE-2020-3262)
- Cisco Webex Network Recording Player and Cisco Webex Player Arbitrary Code Execution Vulnerability (CVE-2020-3194)
- Cisco Mobility Express Software Cross-Site Request Forgery Vulnerability (CVE-2020-3261)
- Cisco IoT Field Network Director Denial of Service Vulnerability (CVE-2020-3162)
- Cisco Unified Communications Manager Path Traversal Vulnerability (CVE-2020-3177)
- Cisco Aironet Series Access Points Client Packet Processing Denial of Service Vulnerability (CVE-2020-3260).
Check out the latest Cisco advisories released on April 15, 2020. Patches should be applied to affected devices as soon as possible.