Cisco Patches Critical Vulnerabilities in Prime Infrastructure (PI) Software
Cisco has released patches for numerous vulnerabilities affecting its products, including Critical flaws in the Cisco Prime Infrastructure (PI) Software that could allow remote code execution.
A total of three vulnerabilities were identified in the PI software, namely CVE-2019-1821, CVE-2019-1822, and CVE-2019-1823, featuring a CVSS score of 9.8.
The bugs impact the web-based management interface of Cisco PI and Cisco Evolved Programmable Network (EPN) Manager and could allow a remote attacker to execute arbitrary code with elevated privileges.
CVE-2019-1821, Cisco explains in an advisory, can be exploited by an unauthenticated attacker with network access to the affected administrative interface.
CVE-2019-1822 and CVE-2019-1823, on the other hand, require that the attacker has valid credentials to authenticate to the impacted administrative interface.
“These vulnerabilities exist because the software improperly validates user-supplied input. An attacker could exploit these vulnerabilities by uploading a malicious file to the administrative web interface. A successful exploit could allow the attacker to execute code with root-level privileges,” Cisco says.
The vulnerabilities were found in PI Software Releases prior to 3.4.1, 3.5, and 3.6, and EPN Manager Releases prior to 3.0.1. Cisco has already released software updates to address these issues.
The company says it is not aware of public announcements or malicious use of these vulnerabilities.
Additionally, Cisco released patches for 10 High severity security issues in ASR 9000 Series routers, Webex Network Recording Player for Windows, Small Business Sx200, Sx300, Sx500, ESW2 Series and Sx250, Sx350, Sx550 Series switches, PI and EPN Manager, FXOS and NX-OS Software, IOS XR Software, Video Surveillance Manager, and Nexus 9000 Series switches.
Exploitation of these flaws could lead to denial of service, arbitrary code execution, execution of arbitrary SQL queries, information disclosure, or elevation of privileges to root user.
In addition to these, Cisco released patches for over 40 Medium risk vulnerabilities, most of which were found in NX-OS software. These include command injection bugs, secure configuration bypass, buffer overflow, SSH Key information disclosure, patch traversal, and policy bypass.
The company also updated the list of products impacted by a recently disclosed vulnerability impacting its Secure Boot implementation. Tracked as CVE-2019-1649, this High severity flaw could be exploited to permanently write a modified firmware image to the hardware component of the Secure Boot.