Cisco has patched Critical vulnerabilities in VPN Firewall and Router products, as well as High risk bugs in SD-WAN products.
Cisco also released 7 High severity patches for SD-WAN products, as well as multiple Medium severity patches to fix bugs in Cisco Identity Services Engine, Email Security Appliance and other products.
VPN Firewall vulnerabilities
Cisco has fixed a Critical static default credential vulnerability CVE-2020-3330 in the Telnet service of Cisco Small Business RV110W Wireless-N VPN Firewall Routers.
As a result, an unauthenticated, remote attacker could take full control of the device with a high-privileged account.
“The vulnerability exists because a system account has a default and static password. An attacker could exploit this vulnerability by using this default account to connect to the affected system,” Cisco warned in the advisory.
Cisco also patched three Critical vulnerabilities in small business routers.
One of the updates fixes a remote code execution vulnerability CVE-2020-3323 in the web-based management interface of Cisco Small Business Routers (RV110W, RV130, RV130W, and RV215W models.
“A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system of the affected device,” Cisco explained in the advisory.
The second Critical patch addresses an authentication bypass vulnerability CVE-2020-3144 in Cisco RV110W, RV130, RV130W, and RV215W Routers.
The third Critical update fixes an arbitrary code execution vulnerability CVE-2020-3331 in Cisco RV110W and RV215W Series Routers.
In addition, Cisco updated a privileged escalation vulnerability CVE-2020-3140 in the web management interface of Cisco Prime License Manager (PLM) Software.
All five of the Cisco Critical vulnerabilities have a CVSS base score of 9.8.
Cisco also patched 11 High severity vulnerabilities, 7 of them address flaws in SD-WAN products.
The SD-WAN patches fix denial of service, remote code execution and other vulnerabilities:
- CVE-2020-3381: Cisco SD-WAN vManage Software Directory Traversal Vulnerability
- CVE-2020-3387: Cisco SD-WAN vManage Software Remote Code Execution Vulnerability
- CVE-2020-3385: Cisco SD-WAN vEdge Routers Denial of Service Vulnerability
- CVE-2020-3351: Cisco SD-WAN Solution Software Denial of Service Vulnerability
- CVE-2020-3180: Cisco SD-WAN Solution Software Static Credentials Vulnerability
- CVE-2020-3369: Cisco SD-WAN vEdge Routers Denial of Service Vulnerability
- CVE-2020-3388: Cisco SD-WAN vManage Software Command Injection Vulnerability.
Finally, 16 other Medium severity vulnerabilities were also fixed on multiple Cisco products, such as Cisco Identity Services Engine, Email Security Appliance and others.
Check out the latest Cisco advisories as of July 16, 2020. Network administrators should install security updates to affected devices as soon as possible.