Cisco has released 25 patches that address 19 high-severity and 6-medium-severity flaws, most of which are present in its ISO XE operating system used by its networking products such as switches, controllers, and routers.
15 of the 19 high severity vulnerabilities are in the Internetworking Operating System IOS XE, several of which could allow unauthenticated attackers to gain root privileges on vulnerable devices and execute arbitrary commands.
The high severity vulnerabilities are: CVE-2019-1737, CVE-2019-1738, CVE-2019-1739, CVE-2019-1740, CVE-2019-1741, CVE-2019-1742, CVE-2019-1743, CVE-2019-1745, CVE-2019-1746, CVE-2019-1747, CVE-2019-1748, CVE-2019-1749, CVE-2019-1750, CVE-2019-1751, CVE-2019-1752, CVE-2019-1753, CVE-2019-1754, CVE-2019-1755, and CVE-2019-1756
Two high-severity flaws in routers have not yet been addressed. CVE-2019-1652 is a command injection vulnerability which could be exploited to allow an unauthenticated individual to remotely gain administrative privileges on a vulnerable router and execute arbitrary code. The second unaddressed vulnerability – CVE-2019-1653 – is an information disclosure vulnerability which could allow an unauthenticated attacker to gain access to sensitive information. The vulnerabilities affect Cisco RV320 and RV325 routers and are rated high severity.
The flaws had previously been patched, but those patches were incomplete, and the routers remain vulnerable to attack. At present, firmware upgrades to address the flaws are unavailable and there are no workarounds that can be implemented to temporarily correct the flaws. Cisco is currently working on a patch to address both flaws.
Six medium-severity flaws in its iOS XE software have also been addressed. These are: CVE-2019-1758, CVE-2019-1759, CVE-2019-1759, CVE-2019-1760, CVE-2019-1761, and CVE-2019-1762.
Cisco has also issued warnings about critical vulnerabilities affecting non-Cisco products: The Moodle mybackpack functionality server side request forgery vulnerability (CVE-2019-3809); a RCE vulnerability in Elastic Kibana Security Audit Logger (CVE-2019-7610); a Python urllib security bypass vulnerability (CVE-2019-9948); and an Elastic Kibana Timelion Visualizer arbitrary code execution vulnerability (CVE-2019-7609).
Affected users are advised to apply the patches as soon as possible to prevent exploitation.