Cisco Patches High-Severity Vulnerabilities in Security Appliances, Business Switches
Cisco this week released patches for multiple high-severity vulnerabilities affecting its Web Security Appliance (WSA), Intersight Virtual Appliance, Small Business 220 switches, and other products.
Successful exploitation of these vulnerabilities could allow attackers to cause a denial of service (DoS) condition, execute arbitrary commands as root, or elevate privileges.
Two high-severity issues (CVE-2021-34779, CVE-2021-34780) were found in the Link Layer Discovery Protocol (LLDP) implementation for Small Business 220 series smart switches, leading to the execution of arbitrary code and a denial of service condition.
The software update released for the enterprise switch series also resolves four medium-severity security flaws that could result in LLDP memory corruption on an affected device.
Another severe vulnerability is an insufficient input validation in the Intersight Virtual Appliance. Tracked as CVE-2021-34748, the security hole could lead to the execution of arbitrary commands with root privileges.
This week Cisco also resolved two high-severity vulnerabilities in the ATA 190 series and ATA 190 series multiplatform (MPP) software. Tracked as CVE-2021-34710 and CVE-2021-34735, the flaws could be exploited for remote code execution and to cause a denial of service (DoS) condition, respectively.
One of these vulnerabilities was reported to Cisco by firmware security company IoT Inspector, which described its findings in an advisory published on Thursday.
Cisco also addressed an improper memory management flaw in AsyncOS for Web Security Appliance (WSA) that could lead to DoS, as well as a race condition in the AnyConnect Secure Mobility Client for Linux and macOS that could be abused to execute arbitrary code with root privileges.
Another high-severity flaw addressed this week is CVE-2021-1594, an insufficient input validation in the REST API of Cisco Identity Services Engine (ISE). An attacker in a man-in-the-middle position able to decrypt HTTPS traffic between two ISE personas on separate nodes could exploit the flaw to execute arbitrary commands with root privileges.
Cisco also released patches for multiple medium-severity flaws affecting TelePresence CE and RoomOS, Smart Software Manager On-Prem, 220 series business switches, Identity Services Engine, IP Phone software, Email Security Appliance (ESA), DNA Center, and Orbital.
Cisco has released patches for these vulnerabilities and says it is not aware of exploits for them being publicly disclosed. Additional details on the resolved issues can be found on Cisco’s security portal.