If you’re a Cisco customer, the company just issued some urgent patching homework in the form of 31 security fixes, including four addressing new flaws rated ‘critical’.
Three of the criticals (CVE-2019-1937, CVE-2019-1938, CVE-2019-1974) relate to authentication bypass vulnerabilities affecting the following products:
- UCS Director and Cisco UCS Director Express for Big Data.
- IMC Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data.
- Integrated Management Controller Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data.
All are remotely exploitable, resulting in the CVSS score of 9.8, which could allow “an attacker to gain full administrative access to the affected device.”
The fourth (CVE-2019-1935, also a 9.8) affects the Integrated Management Controller Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data.
This is described as a default credentials flaw which could allow an attacker to log into the command line interface using the SCP user account giving them “full read and write access to the system’s database.”
Reheats
In addition, the advisory mentions two other critical vulnerabilities (in addition to the 31), CVE-2019-1913 and CVE-2019-1912, but these are just updates to advisories from early August affecting the company’s 220 Series Smart Switches.
What appears to have changed since then is that Cisco has received word that public exploits are now available, although in both cases:
Cisco PSIRT is not aware of malicious use of the vulnerability that is described in this advisory.
That sounds comforting, but the fact that proof-of-concept code is out there raises the urgency of patching these flaws as soon as possible.
Insecure boot
Cisco also finds itself patching a high priority flaw (CVE-2019-1649) in the proprietary secure boot routine used by what appears to be a big chunk of the company’s well-known enterprise router and switching hardware.
This could allow an attacker to tamper with a device’s firmware, although admin access to the system would also be necessary for this.
In total, eight of the flaws classified as high priority relate to the possibility of command injection.
A final interesting flaw is CVE-2019-9506, Cisco’s fix for the industry-wide Bluetooth ‘KNOB’ key negotiation vulnerability made public at the recent USENIX symposium.
Mahhn
As good as it is that Cisco is patching all these serious exploits, If we had known just how many serious exploits they would have 2 years ago, it’s questionable that we would have renewed with them. Something their management should think about. All those backdoors for agencies that eventually get patched anyways, have been a bad investment.
5-10 years from now: Remember when the office phone company Cisco used to make network equipment?
I hope they do better, when they do work, their top notch.