Cisco fixes three critical bugs in IOS XE software
The company says it is not aware of these bugs being exploited in the wild
Cisco has released patches to address three critical security bugs in its IOS XE internetworking operating system, which could enable threat actors to run arbitrary code remotely and cause denial of service (DoS) condition on vulnerable devices.
The most severe of these issues is CVE-2021-34770, a remote code execution (RCE) with CVSS score of 10.0.
According to Cisco, this vulnerability is a 'logic error' that occurs during the processing of Control and Provisioning of Wireless Access Points (CAPWAP) protocol.
The CAPWAP protocol enables a central wireless Controller to handle processing of IOS XE software for Catalyst 9000 family wireless controllers.
Cisco said that the bug could allow attackers to run arbitrary code with root privileges, after sending a crafted packet.
A successful attack would cause the targeted device to crash and reload, resulting in a DoS condition.
The flaw affects Catalyst 9800 and 9800-CL wireless controllers; Catalyst 9300, 9400, and 9500 series switches; and embedded wireless controllers on catalyst access points.
A second critical vulnerability addressed by Cisco is a buffer overflow in IOS XE SD-WAN, which could enable an unauthenticated, remote attacker to run arbitrary commands with root privileges or cause the device to reload, which could result in a DoS condition.
Indexed as CVE-2021-34727, this bug happens due to insufficient bounds checking when an affected device processes traffic.
An adversary could exploit this bug by sending crafted traffic to the device.
The products affected due to this bug include cloud services router 1000V series, integrated services routers (ISRs) 1000 and 4000 series, and aggregation services routers (ASR) 1000 series.
Lastly, Cisco patched CVE-2021-1619, a bug which is caused due to an uninitialised variable in the authentication, authorisation, and accounting (AAA) function of the Cisco IOS XE Software.
A successful attack would enable an authenticated, remote actor to 'install, manipulate, or delete the configuration of a network device or to corrupt memory on the device,' resulting in a DoS condition.
Cisco says it has no reports of these three bugs being exploited in the wild.
These fixes were released as part of Cisco's September 2021 bundle of security advisories for IOS and IOS XE software.
In total, Cisco has fixed 27 vulnerabilities this month, including 13 high-severity and 11 medium-severity bugs.
Earlier this month, the company urged users to patch a critical vulnerability in virtualised network devices after a proof-of-concept (PoC) exploit code was made public.
The vulnerability, indexed as CVE-2021-34746, affected the TACACS+ authentication, authorisation and accounting feature of Cisco Enterprise NFV Infrastructure Software.
And in June, reports emerged that cyber criminals were exploiting a security flaw (CVE-2020-3580) in Cisco Adaptive Security Appliance (ASA) devices in active attacks following the release of PoC exploit code.
Cisco first revealed details of the cross-site scripting (XSS) bug in October 2020 and also issued a fix for it. Because the initial patch was incomplete, the vendor released an additional patch for the bug in April 2021.
In its advisory, Cisco said that it was releasing patches to address multiple XSS bugs in its ASA and Firepower Threat Defense (FTD) software web services.
It urged organisations to patch their devices against CVE-2020-3580 to protect their sensitive data from threat actors.
Cybersecurity firm Rapid7 warned last year that there were over 85,000 internet-accessible ASA/FTD devices as of July 2020. Of those devices, 398 were spread across 17 per cent of the Fortune 500 firms.