Cisco is urging customers to update small business switches, its DNA Center software, routers with its StarOS software, and its AnyConnect Secure Mobility VPN client for Windows.
- CVE-2020-3363: Cisco has disclosed a bug in the IPv6 packet processing engine of several Cisco Small Business Smart and Managed Switches that could allow a remote attacker without credentials to trigger a denial of service on affected devices. Cisco has made a software update available for four of the affected switches, while the rest of the affected switches are beyond the end of software maintenance milestone. The vulnerability has been given a severity score of 8.6 out of 10 but Cisco claims it’s not aware of any malicious use of the vulnerability and found it during internal testing. The issues only affects IPv6 traffic, not IPv4 traffic. Find out more here.
- CVE-2020-3411: Certain versions of Cisco’s DNA Center network automation software are also vulnerable to a high-severity flaw that could let a remote attacker access sensitive information, including configuration files. It has a severity rating of 7.5. The software doesn’t handle authentication tokens properly. This allows an attacker to send a crafted HTTPS request to an affected device. Cisco claims it’s not aware of any malicious use of the vulnerability and found it during internal testing. The bug affects all 1.3.x versions of DNA Center software releases prior to 126.96.36.199. Find out more here.
- CVE-2020-3324: This vulnerability is a slightly more serious flaw and can be found in the IPv6 implementation of CiscoStarOS. This could allow a remote attacker without credentials to cause a denial of service on affected routers. It has a severity rating of 8.6. Affected devices include Cisco’s ASR 5000 Series Aggregation Services Routers and its Virtualized Packet Core-Single Instance (VPC-SI). Cisco has published more details here.
- CVE-2020-3343: The Cisco AnyConnect VPN mobility client for Windows has a flaw that can let an authenticated, local attacker perform a dynamic link library (DLL) hijacking attack. If attackers gained valid credentials on the Windows system, they could run malicious code with system-level privileges. Users running Cisco AnyConnect Secure Mobility Client for Windows releases 4.9.00086 and later are not vulnerable. This has a severity rating of 7.5. Find out more here.
For additional information, please visit:
For additional information about vulnerability management, and how Drawbridge can help, please visit: DrawbridgeConnect-R.