Cisco has released a Critical security advisory for three Treck IP Stack vulnerabilities, as well as seven other High severity advisories that affect multiple products.
Security researchers disclosed earlier this week a series of 19 zero-day TCP/IP stack library dubbed Ripple20 used in many IoT and network products.
Cisco released its first advisory to address three of the Ripple20 vulnerabilities that affect multiple Cisco products. An attacker could exploit these vulnerabilities to launch denial of service (DoS), remote code execution (RCE) or information disclosure.
Although Cisco continues to investigate potential impact of Ripple20 on Routing and Switching products, the company did confirm the following products are affected:
- Cisco GGSN Gateway GPRS Support Node
- Cisco MME Mobility Management Entity
- Cisco PGW Packet Data Network Gateway
- Cisco System Architecture Evolution Gateway.
Three of the Ripple20 vulnerabilities (CVE-2020-11896, CVE-2020-11897 and CVE-2020-11898) are included in the Cisco advisory.
In addition, Cisco patched the following 12 High risk vulnerabilities that affect Webex, TelePresence and multiple Small Business products (along with CVEs):
- Cisco Webex Meetings and Cisco Webex Meetings Server Token Handling Unauthorized Access Vulnerability (CVE-2020-3361)
- Cisco Webex Meetings Desktop App URL Filtering Arbitrary Program Execution Vulnerability (CVE-2020-3263)
- Cisco Webex Meetings Desktop App for Mac Update Feature Code Execution Vulnerability (CVE-2020-3342)
- Cisco TelePresence Collaboration Endpoint and RoomOS Software Command Injection Vulnerability (CVE-2020-3336)
- Cisco Small Business RV Series Routers Stack Overflow Arbitrary Code Execution Vulnerabilities (CVE-2020-3286, CVE-2020-3287, CVE-2020-3288)
- Cisco Small Business RV110W, RV130, RV130W, and RV215W Series Routers Management Interface Vulnerabilities (CVE-2020-3268, CVE-2020-3269)
- Cisco Small Business RV Series Routers Command Injection Vulnerabilities (CVE-2020-3274, CVE-2020-3275 and CVE-2020-3276)
Finally, Cisco also addressed a medium-rated Information Disclosure vulnerability CVE-2020-3360 in the Web Access feature of Cisco IP Phones.