Security News

Cisco has patched a clutch of high-priority vulnerabilities in its SD-WAN routers and their management software that admins will want to apply as soon as possible. The latter is a privilege escalation vulnerability in the SD-WAN management software used with a range of Cisco routers, including the vEdge 100 Series, 1000 Series, 2000 Series, 5000 Series, and Cloud Router.

Cisco has fixed five security vulnerabilities in its Software-Defined WAN Solution, two of which could allow an authenticated, local attacker to either gain root privileges on the underlying operating system or to inject arbitrary commands that are executed with root privileges. While there is no indication that these flaw are being actively exploited, no workarounds addressing the vulnerabilities exist so upgrading to the Cisco SD-WAN Solution software release 19.2.2.

Cisco has issued a series of security updates for its SD-WAN and Webex software, just when they're most needed. The five CVE-listed bugs are down to what Cisco calls "Insufficient input validation," and the avenues to exploit it range from SQL to HTTP requests.

If exploited, the flaws could enable bad actors to execute commands with root privileges on affected systems. The three flaws are located in various Cisco hardware and software products running the company's SD-WAN software earlier than Release 19.2.2.

Cisco on Wednesday announced that it has patched a total of five vulnerabilities in its SD-WAN solution, including three that have been assigned a "High severity" rating. The high-severity vulnerabilities - all of them reported to Cisco by Orange Group - are caused by insufficient input validation.

Cisco Webex Player is also affected, which used to play back Webex Recording Format files on the Windows OS. WRF files contain audio and video recordings, typically used for demonstrations, training and conferencing. While Cisco did not detail the technicalities of the vulnerabilities, it said that "An attacker could exploit these vulnerabilities by sending a malicious ARF or WRF file to a user through a link or email attachment and persuading the user to open the file on the local system," according to Cisco in a Wednesday advisory.

Cisco Webex Player is also affected, which used to play back Webex Recording Format files on the Windows OS. WRF files contain audio and video recordings, typically used for demonstrations, training and conferencing. While Cisco did not detail the technicalities of the vulnerabilities, it said that "An attacker could exploit these vulnerabilities by sending a malicious ARF or WRF file to a user through a link or email attachment and persuading the user to open the file on the local system," according to Cisco in a Wednesday advisory.

Cisco has released patches to address more than a dozen vulnerabilities across various products, including two code execution bugs in Webex Player that could be exploited remotely. Tracked as CVE-2020-3127 and CVE-2020-3128 and rated high severity, the issues reside in the insufficient validation of elements within a Webex recording stored as ARF or WRF. To exploit the bugs, an attacker needs to send a malicious ARF or WRF file and trick the victim into opening the file the local system, which could result in arbitrary code being executed with the privileges of the targeted user.

It looks like Switchzilla is moving swiftly to clear up the Krook bug discovered by ESET. Just hours after the researchers delivered their findings in a report, Cisco gave its own advisory on the Wi-Fi data snooping flaw. Missing C++ update opens security hole in Ubuntu 16.04.

Cisco says it will release patches for wireless devices affected by the recently disclosed Wi-Fi chip vulnerability named Kr00k. Cybersecurity firm ESET revealed on Wednesday that over one billion Wi-Fi-capable devices were at one point affected by a vulnerability that can allow hackers to obtain potentially sensitive information from wireless communications.