Cisco has patched high risk Webex Teams, video surveillance camera and Identity Services Engine (ISE) vulnerabilities.
As a result, a remote attacker could potentially exploit some of these vulnerabilities to take control of an impacted device or execute arbitrary code on impacted systems.
Cisco Webex Teams
The first of the three High severity Cisco patches addresses a DLL hijacking vulnerability CVE-2020-3535 in the loading mechanism of specific DLLs in the Cisco Webex Teams client for Windows.
“The vulnerability is due to incorrect handling of directory paths at run time. An attacker could exploit this vulnerability by placing a malicious DLL file in a specific location on the targeted system. This file will execute when the vulnerable application launches,” Cisco stated in the advisory.
As a result, an authenticated, local attacker could load a malicious library to exploit the vulnerability and execute arbitrary code on the victim’s system with the privileges of another user’s account.
Cisco Video Surveillance Cameras
Cisco also patched a High severity remote code execution and denial of service vulnerability CVE-2020-3544 in Cisco Video Surveillance 8000 Series IP Cameras.
“This vulnerability is due to missing checks when an IP camera processes a Cisco Discovery Protocol packet. An attacker could exploit this vulnerability by sending a malicious Cisco Discovery Protocol packet to an affected device,” Cisco warned in the advisory.
As a result, an unauthenticated, adjacent attacker could exploit and execute arbitrary code on an affected device or cause the device to reload.
Identity Services Engine
Cisco also addressed a High severity authorization bypass vulnerability CVE-2020-3467 in the web-based management interface of Cisco Identity Services Engine (ISE).
“The vulnerability is due to improper enforcement of role-based access control (RBAC) within the web-based management interface. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device,” Cisco noted in the advisory.
To add, Cisco said an attacker would need read-only administrator access to exploit this vulnerability. However, a successful exploit could allow an attacker to modify parts of the configuration.
Finally, Cisco also patched 11 Medium rated vulnerabilities for StarOS, SD-WAN, Nexus Data Broker, Firepower and multiple other network products.
Check out the latest Cisco advisories as of October 7, 2020. System and Network administrators should deploy security updates to affected devices as soon as possible.
- Cisco fixes 29 High risk security bugs in Cisco IOS and IOS XE software, Aironet and other network products
- Experts warn users to secure internet-connected cameras
- Cisco patches high risk Webex vulnerability (CVE-2020-3142)
- Cisco Webex and Zoom issue password security guidance to prevent enumeration attacks
- 5 Good Cybersecurity Lessons Learned From FTC Law Enforcement Actions