Cisco has released security patches for Email Security Appliance, Webex, Prime Network Registrar, Intelligent Proximity and other products. Four of the vulnerabilities are rated High severity and another nine are rated Medium severity.
A bad actor could exploit these vulnerabilities to take control of impacted network devices.
Here’s a break down of the patches broken out by High and Medium severity.
High severity updates
Cisco patched the following high risk vulnerabilities (along with CVE):
- Cisco Intelligent Proximity SSL Certificate Validation Vulnerability (CVE-2020-3155)
- Cisco Prime Network Registrar Cross-Site Request Forgery Vulnerability (CVE-2020-3148)
- Cisco Webex Network Recording Player and Cisco Webex Player Arbitrary Code Execution Vulnerabilities (CVE-2020-3127, CVE-2020-3128).
Of special note, a remote attacker could exploit the two Webex bugs and run arbitrary code.
“An attacker could exploit these vulnerabilities by sending a malicious ARF or WRF file to a user through a link or email attachment and persuading the user to open the file on the local system,” Cisco added in the advisory.
Medium severity updates
Cisco also patched the following vulnerabilities rated Medium severity:
- Cisco Email Security Appliance Uncontrolled Resource Exhaustion Vulnerability (CVE-2020-3155)
- Cisco Webex Meetings Client for MacOS Information Disclosure Vulnerability (CVE-2020-3182)
- Cisco TelePresence Management Suite Stored Cross-Site Scripting Vulnerability (CVE-2020-3185)
- Cisco Remote PHY Device Software Command Injection Vulnerability (CVE-2020-3176)
- Cisco Prime Collaboration Provisioning Cross-Site Scripting Vulnerability (CVE-2020-3192)
- Cisco Prime Collaboration Provisioning Information Disclosure Vulnerability (CVE-2020-3193)
- Cisco Identity Services Engine Cross-Site Scripting Vulnerability (CVE-2020-3157)
- Cisco IOS XR Software IPsec Packet Processor Denial of Service Vulnerability (CVE-2020-3190)
- Cisco ESA, Cisco WSA, and Cisco SMA GUI Denial of Service Vulnerability (CVE-2020-3164).
Check out the latest Cisco advisories released on March 4 and 5, 2020. Patches should be applied to affected devices as soon as possible.