Cisco issues security patches for critical vulnerabilities affecting its router and firewall products
The flaws could enable hackers to take full control of the target device
Cisco Systems on Wednesday released security patches to fix 31 vulnerabilities affecting many of its routers and firewall devices.
According to the company, these security updates address critical remote code execution (RCE), static default credential and authentication bypass bugs, which could enable hackers to take full control of the target device.
Five bugs addressed in the latest update received CVSS severity score of 9.8, making them critical vulnerabilities. They are:
- CVE-2020-3144 - Authentication bypass flaw in RV110W, RV130, RV130W, and RV215W routers
- CVE-2020-3330- Static default credential bug in Cisco's Small Business RV110W Wireless-N VPN Firewall
- CVE-2020-3331 - Arbitrary code execution flaw in RV110W and RV215W Series routers
- CVE-2020-3323 - Remote command execution bug in Cisco's Small Business RV110W, RV130, RV130W, and RV215W Routers Management Interface
- CVE-2020-3140 - Privilege escalation bug in the Cisco Prime Licence Manager
These critical bugs can be remotely exploited by unauthenticated attackers without requiring any user interaction, Cisco said. There are no workarounds available to address the bugs.
Cisco says it found no evidence to suggest that hackers are currently exploiting the vulnerabilities for malicious purpose.
The company credited external security researchers Sanghyuk Lee, Jeongun Baek and Gyengtak Kim of GeekPwn, Adam Engle and Quentin Kaiser of AdventHealth and Larryxi of XDSEC for reporting the bugs.
Cisco's latest security updates to address critical vulnerabilities in its products have been released after Finnish cybersecurity firm F-Secure published a report detailing its investigation into a pair of fake Cisco network switches.
F-Secure's its probe into two counterfeit versions of Cisco Catalyst 2960-X series switches revealed that the fakes are physically and operationally very similar to authentic Cisco switches but have been designed to bypass processes used to authenticate system components.
"The counterfeiters' motives were likely limited to making money by selling the components," said Dmitry Janushkevich, a senior consultant with F-Secure Consulting's Hardware Security team.
The report concludes that the individuals behind the fakes either had access to Cisco's proprietary engineering documentation or they have invested heavily in replicating the original design.