Cisco has released a large number of patches as a part of its scheduled IOS and IOS XE Software Security Advisory Bundled Publication. Of the 41 total patches for IOS vulnerabilities, 29 of them were rated as high severity on the Common Vulnerability Scoring System (CVSS). While it is highly recommended that sysadmins look over the patch list in totality, this article will focus on some of the most dangerous vulnerabilities and the new Cisco patches. Many of the most severe vulnerabilities, and their subsequent patches, relate to denial-of-service issues, authorization bypass, and arbitrary code execution.
A pair of vulnerabilities, CVE-2020-3421 and CVE-2020-3480, allow a remote attacker to exploit the Cisco IOS XE Zone-Based Firewall. The patches released for this issue specifically close an issue in Layer 4 that causes the mishandling of packets. According to Cisco, this could lead to a denial-of-service if the following occurs:
An attacker could exploit these vulnerabilities by sending a certain sequence of traffic patterns through the device. A successful exploit could allow the attacker to cause the device to reload or stop forwarding traffic through the firewall.
Another patched vulnerability in Cisco’s IOS XE Software, CVE-2020-3417, leaves the software open to arbitrary code execution. The flaw, which results from “incorrect validations by boot scripts when specific... (ROMMON) variables are set,” can be exploited by accessing the root shell of a device. Once this access is established, all that a threat actor needs to do is install code in the OS and set what Cisco describes as “a specific ROMMON variable.”
As stated before, these are merely two of 29 high-severity vulnerabilities of the 41 total patched. Considering that these patches are just the tip of the iceberg, it is imperative that professionals in charge of their organizations’ Cisco software implement them as soon as possible. The last thing that anyone needs is a denial-of-service attack or other disruption of their day-to-day operations due to a failure to patch.
Featured image: Flickr/ Pamela Ocampo