Bumper Cisco patches fix four new ‘critical’ vulnerabilities

If you’re a Cisco customer, the company just issued some urgent patching homework in the form of 31 security fixes, including four addressing new flaws rated ‘critical’.

Three of the criticals (CVE-2019-1937, CVE-2019-1938, CVE-2019-1974) relate to authentication bypass vulnerabilities affecting the following products:

  • UCS Director and Cisco UCS Director Express for Big Data.
  • IMC Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data.
  • Integrated Management Controller Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data.

All are remotely exploitable, resulting in the CVSS score of 9.8, which could allow “an attacker to gain full administrative access to the affected device.”

The fourth (CVE-2019-1935, also a 9.8) affects the Integrated Management Controller Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data.

This is described as a default credentials flaw which could allow an attacker to log into the command line interface using the SCP user account giving them “full read and write access to the system’s database.”

Reheats

In addition, the advisory mentions two other critical vulnerabilities (in addition to the 31), CVE-2019-1913 and CVE-2019-1912, but these are just updates to advisories from early August affecting the company’s 220 Series Smart Switches.

What appears to have changed since then is that Cisco has received word that public exploits are now available, although in both cases:

Cisco PSIRT is not aware of malicious use of the vulnerability that is described in this advisory.

That sounds comforting, but the fact that proof-of-concept code is out there raises the urgency of patching these flaws as soon as possible.

Insecure boot

Cisco also finds itself patching a high priority flaw (CVE-2019-1649) in the proprietary secure boot routine used by what appears to be a big chunk of the company’s well-known enterprise router and switching hardware.

This could allow an attacker to tamper with a device’s firmware, although admin access to the system would also be necessary for this.

In total, eight of the flaws classified as high priority relate to the possibility of command injection.

A final interesting flaw is CVE-2019-9506,  Cisco’s fix for the industry-wide Bluetooth ‘KNOB’ key negotiation vulnerability made public at the recent USENIX symposium.