The Joy of Six... critical security patches: Cisco small biz switches open to hijacking via web UI
Plus UCS and other gear need updates
Cisco has emitted a fresh round of software updates to address security holes in its network switches and controllers.
Switchzilla's latest patch bundle includes six alerts for what it rates as critical issues, including flaws in its Small Business 220 Series switches and UCS Director software. Combined with Cisco's fixes for 'high' and 'moderate' issues, the networking giant posted a total of 33 security alerts on Wednesday.
For the Small Business 220 Switches, a pair of patches address CVE-2019-1912, an authentication bypass flaw that lets an attacker inject a reverse shell through the web interface, and CVE-2019-1913, an remote code (as root) execution flaw also exploitable through the switch's web management interface without any authentication.
Proof-of-concept exploit code exists for both flaws, we're told, though Cisco says there are no reports of active malicious exploitation in the wild... yet. The holes were found and reported by an infosec bod using the handle bashis.
Also considered a top priority are four critical patches for vulnerabilities in Cisco's Unified Computing System. Three of the patches (CVE-2019-1938, CVE-2019-1974, and CVE-2019-1937) address authentication bypass flaws that would let an attacker get administrator privileges for UCS Director. A fourth UCS Director flaw, CVE-2019-1935, concerns default credentials that were left active.
Other notable patches include a fix for CVE-2019-1649, a Secure Boot flaw that would let an attacker with local access tamper with the firmware of ASA and Firepower switches, as well as more than 140 router models and several voice and unified communications devices.
Breaker, breaker. Apple's iOS 12.4 update breaks jailbreak break, un-breaks the break. 10-4READ MORE
Cisco is also taking the occasion to issue its patch for the Key Negotiation over Bluetooth (KNOB) security issue that was disclosed earlier this month. Switchzilla's CVE-2019-9506 fix applies to Webex and IP phones that rely on encrypted Bluetooth connections that are susceptible to an attack where an interceptor would potentially be able to trick devices into issuing easy-to-crack wireless encryption keys.
Cisco's Integrated Management Controller was a popular target this go-round, as Switchzilla addressed 14 different updates for the tool including privilege escalation (CVE-2019-1863), information disclosure (CVE-2019-1908), and denial of service (CVE-2019-12634.)
Admins are advised to test and install the patches as soon as possible. ®