Cisco Plugs High-Risk Security Flaws in Webex, SD-WAN
Enterprise security vendor Cisco has shipped fixes for a wide range of severity vulnerabilities, including patches for high-risk flaws in the widely deployed Webex Player, SD-WAN software, and ASR 5000 series software.
A total of three high-severity vulnerabilities (CVSS score of 7.8) were patched in Webex Player for Windows and macOS, two of which also affect the Webex Network Recording Player for those operating systems.
The first of the bugs, CVE-2021-1526, is a memory corruption issue that could be abused to execute arbitrary code on an affected system. The flaw could be abused through rigged Webex Recording Format (WRF) files.
The issue affects Cisco Webex Player for Windows and MacOS releases prior to version 41.5, but does not impact the Webex Network Recording Player.
The next two vulnerabilities — CVE-2021-1502 and CVE-2021-1503 — are memory corruption bugs that impact both Webex Network Recording Player and Webex Player, on both Windows and macOS. Both could be exploited to achieve arbitrary code execution on an affected system.
Both flaws are addressed in Webex Network Recording Player and Webex Player releases 41.4 and later.
This week, Cisco also announced patches for CVE-2021-1528, a high risk (CVSS score of 7.8) issue in SD-WAN software, which could be exploited to gain elevated privileges on a vulnerable system.
The bug impacts SD-WAN versions 20.4 and 20.5 (vBond Orchestrator, vEdge Cloud and vEdge Routers, vManage, and vSmart Controller) and was addressed with the release of SD-WAN versions 20.4.2 and 20.5.1.
Cisco also released patches for a couple of vulnerabilities in ASR 5000 series software (StarOS) that could be exploited to bypass authorization and execute CLI commands on an affected machine. The most important of these flaws is CVE-2021-1539 (CVSS score of 8.1).
Cisco encourages users to update to patched versions of each product as soon as possible. The company also notes that it is not aware of these flaws being exploited in attacks.
This week, Cisco also published information on multiple medium risk vulnerabilities impacting various products from its portfolio, including Webex Meetings, Webex Player, ThousandEyes Recorder, Video Surveillance 7000 series IP cameras, and Common Services Platform Collector (CSPC).
Additionally, the company revealed that many of its products are affected by a series of vulnerabilities identified in the frame aggregation and fragmentation functionality of the 802.11 standard. An attacker could abuse these flaws to forge encrypted frames and exfiltrate sensitive data from an affected device.
While Cisco did publish a list of impacted devices, that list is not exhaustive, as the company is still investigating the impact from these issues.
Additional details on all these vulnerabilities can be found on Cisco’s security portal.