Cisco: Sicherheitslücken in Zahlreichen Products

Cisco hat der Nacht zum 15 new Sicherheitsmitteilungen veröffentlicht in Donnerstag. Choose a product palette. Darunter found a critically important risk and found Sicherheitslücken with multiple risks. IT-Verantwortliche sollten prüfen, ob sie verwundbare Device insetzen ve die bereitstehenden aktualisierungen always.

Anzeige

A Schwachstelle (CVE-2024-20418) is included with a CVSS-Einstufung in Cisco Unified Industrial Wireless Software 10 to 10 möglichen Punkten das höchstmögliche Riskiko, “critical“, Darstellt. Der Webbasierten Verwaltungsoberfläche von Cisco ultra-reliable wireless faç (urwb) access points. Icht Das Sendsen Manipulierter HTTP Connections und Catalyst IW9165D Heavy-Duty Access Points, Catalyst IW9165E Rugged Access Points and Wireless Clients and Catalyst IW9167E Heavy-Duty Access Points, updated Available with updates.

Hochriskante Cisco-Lücken

In Cisco Nexus Dashboard Fabric Controller, you can make SQL-Befele even better by using Angreifer over Netz, using a SQL-Injection-Schwachstelle in web-based data transfer with a REST-API-Endpunkt. Chen. Das ermöglicht ihnen, beliebige Daten einer internen Datenbank zu lesen, verändern oder zu löschen, “Auswirkungen auf die Verfügbarkeit” angegriffener Geräte haben kann (CVE-2024-20536, CVSS) 8.8, idiot).

There is also the risk of Cisco betraying Cisco in a Denial of Service Case in Enterprise Chat and Email. Unauthenticated Akteure in Netz provides custom provisioning Media Routing Peripheral Interface Manager (MR PIM)-Traffic and full data transfer from the device (CVE-2024-20484, CVSS) in External Agent Assignment Service (EAAS) functionality. 7.5, idiot).

The rest resemble Schwachstellen, Cisco the best of Bedrohungsgrad. Some security measures that Cisco keeps out of the risk ranking:

Cisco Unified Industrial Wireless Software for Ultra-Reliable Wireless Backhaul Access Point Command Injection VulnerabilityCVSS 10.0“Risk”critical“
Cisco Nexus Dashboard Fabric Controller SQL Injection VulnerabilityCVSS 8.8, idiot
Cisco Enterprise Chat and Email Denial of Service VulnerabilityCVSS 7.5, idiot
Cisco Identity Services Engine Auth Bypass and Cross-Site Scripting VulnerabilitiesCVSS 6.5, Mittel
Cisco Unified Communications Manager IM and Presence Service Information Disclosure VulnerabilityCVSS 6.5, Mittel
Cisco Identity Services Engine VulnerabilitiesCVSS 6.1, Mittel
Cisco Unified Communications Manager Cross-Site Scripting VulnerabilityCVSS 6.1, Mittel
Stored Cross-Site Scripting Vulnerability in Cisco Secure Email and Web Manager, Secure Email Gateway, and Secure Web ApplianceCVSS 5.4, Mittel
Cisco Enhanced Programmable Network Manager and Cisco Prime Infrastructure Stored Cross-Site Scripting VulnerabilityCVSS 5.4, Mittel
Cisco Unified Contact Center Management Portal Stored Cross-Site Scripting VulnerabilityCVSS 5.4, Mittel
Access Control List Programming Vulnerability in Cisco Nexus 3550-F SwitchesCVSS 5.3, Mittel
Information Disclosure Vulnerability in Cisco 7800, 8800, and 9800 Series PhonesCVSS 5.3, Mittel
Cisco 6800, 7800, 8800, and 9800 Series Phones with Cross-Site Scripting Vulnerabilities Stored in Multi-Platform FirmwareCVSS 4.8, Mittel
Information Disclosure Vulnerability in Cisco Meeting ManagementCVSS 4.3, Mittel
Cisco Identity Services Engine VulnerabilitiesCVSS 4.3, Mittel

We know Cisco is running Brute-Force-Schutz with VPN Logins for more ASA and FTD Devices. In April, VPN Server reconfiguration was achieved with Password Spraying and Brute Force Attack.

(DMK)