Cisco is releasing a new security update that has faced 34 vulnerabilities in the company's number of products and software, including its small business and VPN routers, and five of which have been described as critical.
The first of these significant weaknesses, tracked as CVE-2020-3330 with a CVSS score of 9.8, affects the Telnet service in Cisco Small Business RV110W Wireless-N VPN firewall routers.
This security flaw is caused by the device's default, static password being used and if this password is obtained by an attacker, the router can be hijacked remotely.
The second significant vulnerability, also known as CVE-2020-3323, affects Cisco's Small Business RV110W, RV130, RV130W and RV215W routers, with a CVSS score of 9.8. The flaw resides in the online management portal for these routers with improper validation issues that can be exploited using malicious HTTP requests.
The third vulnerability also affects the same router line, with a CVSS score of 9.8 tracked as CVE-2020-3144 and, once again, the security flaw remains in the device's web management portal. If exploited, it can allow an unproven, remote attacker to bypass authentication and execute arbitrary commands on an affected device.
Critical vulnerabilitiesCisco's RV110W Wireless-N VPN Firewall and Cisco RV215W Wireless-N VPN Routers are also affected by vulnerabilities tracked as CVE-2020-3331 with a CVSS score of 9.8 that executes arbitrary code with root privileges Can be exploited by an attacker to do.
This bug is found in the web management interface of firewalls and routers and results in how user input is handled by devices.
The last significant vulnerability is the Cisco Patch, tracked as CVE-2020-3140 and with a CVSS score of 9.8, present in Cisco Prime License Manager (PLM). This is another web management portal issue caused by improper user input handling and the bug can be misused by an attacker sending malicious requests.
While this vulnerability could potentially lead to administrator-level privilege escalation, an attacker would need a valid username to exploit it.
In addition to these five critical weaknesses, Cisco also released a number of fixes for its other products and services, including Identity Services, SD-WAN vManage and vEdge, Webex meetings and more.
For more information about: cisco vpn