Cisco has fixed five High risk Cisco IOS XR Software vulnerabilities in multiple network products, as well as a security update for OpenSSL vulnerabilities.
An attacker could exploit these vulnerabilities and potentially take over affected devices.
IOS XR Software
On September 8, 2021, Cisco addressed two High severity privileged escalation vulnerabilities (CVE-2021-34719 and CVE-2021-34728) in the CLI of Cisco IOS XR Software could allow an authenticated, local attacker to elevate privileges on an affected device.
A second Cisco update fixed a High severity vulnerability CVE-2021-34713 in Layer 2 punt code of Cisco IOS XR Software running on Cisco ASR 9000 Series Aggregation Services Routers.
As a result, an unauthenticated, adjacent attacker could cause the affected line card to reboot.
Another update patched a vulnerability CVE-2021-34720 in IP Service Level Agreements (IP SLA) responder and Two-Way Active Measurement Protocol (TWAMP) features of Cisco IOS XR Software.
A remote unauthenticated attacker could exploit the issue and cause a denial of service (DoS) condition.
The last of the High risk IOS XR patches addressed an arbitrary file read and write vulnerability (CVE-2021-34718).
OpenSSL vulnerabilities
Finally, Cisco also issued a new security update for OpenSSL vulnerabilities (CVE-2021-3449 and CVE-2021-3450) that affect multiple Cisco products, originally released in March, 2021.
“Exploitation of these vulnerabilities could allow an attacker to use a valid non-certificate authority (CA) certificate to act as a CA and sign a certificate for an arbitrary organization, user or device, or to cause a denial of service (DoS) condition,” Cisco warned in the advisory.
The latest update fixed release availability information for Cisco IOS and IOS XE Software.