Security News

Cisco has issued a series of security updates for its SD-WAN and Webex software, just when they're most needed. The five CVE-listed bugs are down to what Cisco calls "Insufficient input validation," and the avenues to exploit it range from SQL to HTTP requests.

If exploited, the flaws could enable bad actors to execute commands with root privileges on affected systems. The three flaws are located in various Cisco hardware and software products running the company's SD-WAN software earlier than Release 19.2.2.

Cisco on Wednesday announced that it has patched a total of five vulnerabilities in its SD-WAN solution, including three that have been assigned a "High severity" rating. The high-severity vulnerabilities - all of them reported to Cisco by Orange Group - are caused by insufficient input validation.

Cisco Webex Player is also affected, which used to play back Webex Recording Format files on the Windows OS. WRF files contain audio and video recordings, typically used for demonstrations, training and conferencing. While Cisco did not detail the technicalities of the vulnerabilities, it said that "An attacker could exploit these vulnerabilities by sending a malicious ARF or WRF file to a user through a link or email attachment and persuading the user to open the file on the local system," according to Cisco in a Wednesday advisory.

Cisco Webex Player is also affected, which used to play back Webex Recording Format files on the Windows OS. WRF files contain audio and video recordings, typically used for demonstrations, training and conferencing. While Cisco did not detail the technicalities of the vulnerabilities, it said that "An attacker could exploit these vulnerabilities by sending a malicious ARF or WRF file to a user through a link or email attachment and persuading the user to open the file on the local system," according to Cisco in a Wednesday advisory.

Cisco has released patches to address more than a dozen vulnerabilities across various products, including two code execution bugs in Webex Player that could be exploited remotely. Tracked as CVE-2020-3127 and CVE-2020-3128 and rated high severity, the issues reside in the insufficient validation of elements within a Webex recording stored as ARF or WRF. To exploit the bugs, an attacker needs to send a malicious ARF or WRF file and trick the victim into opening the file the local system, which could result in arbitrary code being executed with the privileges of the targeted user.

It looks like Switchzilla is moving swiftly to clear up the Krook bug discovered by ESET. Just hours after the researchers delivered their findings in a report, Cisco gave its own advisory on the Wi-Fi data snooping flaw. Missing C++ update opens security hole in Ubuntu 16.04.

Cisco says it will release patches for wireless devices affected by the recently disclosed Wi-Fi chip vulnerability named Kr00k. Cybersecurity firm ESET revealed on Wednesday that over one billion Wi-Fi-capable devices were at one point affected by a vulnerability that can allow hackers to obtain potentially sensitive information from wireless communications.

Cisco on Wednesday released patches for 11 vulnerabilities in its products, including multiple flaws that impact Cisco UCS Manager, FXOS, and NX-OS software. Because the Discovery Protocol is enabled by default globally and on all interfaces in FXOS and NX-OS, the flaw impacts numerous products, including Nexus, Firepower, UCS and MDS. Cisco has pointed out that this vulnerability is different from the one disclosed earlier this month, which researchers said affected tens of millions of Cisco devices deployed in enterprise environments.

Building on a decade of significant investment in innovation, partnerships, acquisitions, customer research and open- source standards, Cisco is now offering customers the broadest, most integrated cloud-native security platform in the industry, Cisco SecureX. Cisco SecureX provides a comprehensive user experience across the breadth of Cisco's integrated security portfolio and customers' existing security infrastructure. Cisco SecureX unifies visibility, identifies unknown threats, and automates workflows to strengthen customers' security across network, endpoint, cloud, and applications.