Cisco this week reported it spent time patching two high-risk security flaws which appeared in the user interface of Cisco IOS and Cisco IOS XE Software releases earlier than 2019.09.19.1956m. This is, according to an advisory put out by the company.
Cisco said it found a vulnerability, located in the web-based management interface of Cisco Webex’s Video Mesh that could let in authenticated remote intruders to perform ‘arbitrary commands on the affected system.’ Classified as high priority by Cisco, the company said it’s since repaired the bug in its systems discovered during routine internal testing. The company said in the same advisory:
“An attacker could have exploited this vulnerability by logging in to the web-based management interface with administrative privileges and supplying crafted requests to the application”
Such attacks are typically launched using social engineering via emails to persuade unsuspecting victims to click links capable of triggering harmful attacks on end-users and possibly organizations.
A Second iOS Software Security Threat Remedied
The second of two patches released this week by Cisco include another high-risk flaw found in the web user interface of Cisco IOS XE software, the company’s Linux-based version of its operating system for iOS, software controls enterprise switches from Cisco’s Catalyst series, as well as branch and edge routers.
Cisco’s Product Security Incident Response Team said in a statement it was unaware of any public announcements or malicious use of the vulnerabilities.
Cisco Makes Zoom-Like Blunder
Back when we first reported another verified weakness in Zoom’s conferencing platform, I knew any company could make this mistake. Today, Cisco’s done just that, but like any socially-responsible company, acknowledged its shortcomings and remedied the situation to keep users safe.
I did not, however, assume that Cisco would be on the opposite end of things, with exposures similar to those the company called Zoom out for. For a moment, I did think we’d witness the end of the bright interoperability future that seemed to make progress in ending a long-standing tradition of non-collaboration across the collaboration vendor landscape. That has not happened, thankfully.
What all this goes to show, what happened to Cisco, and with Zoom, could happen to any company, and the ethical thing to do in this case is to be transparent, something Cisco did this week and something the collaboration giant has a long history with.
How do I know If I am Impacted?
Fixing the issue is free for those with valid Cisco licensing and can be found on Cisco’s website or via an authorized reseller or partner. If you’re a Cisco customer using Cisco IOS and Cisco IOS XE Software releases earlier than 2019.09.19.1956m – there’s a chance you’re exposed. You can find out if you are, by accessing this handy link.
We reached out to Cisco for comment and clarification on a few matters and they hadn’t responded by the time of publication.
We’ll bring you any updates we hear from Cisco and plan to keep you up-to-date on the latest Cisco news with live coverage next week of its annual developer conference Cisco Live held in Barcelona Spain January 27-31, 2020.
