Cisco fixes 34 High-Severity flaws in IOS and IOS XE software

Cisco patched 34 high-severity flaws affecting its IOS and IOS XE software, some of them can be exploited by a remote unauthenticated attacker.

Cisco on Thursday released security patches for 34 high-severity vulnerabilities affecting its IOS and IOS XE software.

The IT giant issued 25 advisories as part of the September 2020 semiannual IOS and IOS XE Software Security Advisory Bundled Publication.

The company, in direct response to customer feedback, releases bundles of Cisco IOS and IOS XE Software Security Advisories on the fourth Wednesday of the month in March and September of each calendar year.

25 Security Advisories describe a total of 34 vulnerabilities in IOS Software and IOS XE Software.

Some of the issues can be exploited by a remote, unauthenticated attacker to trigger a denial-of-service (DoS) condition, and one flaw could also allow hackers to gain access to sensitive data.

The DoS flaws impacted the Common Open Policy Service (COPS) engine, incorrect packet processing, Control and Provisioning of Wireless Access Points (CAPWAP) protocol processing, RESTCONF and NETCONF-YANG access control list functions, the LPWA subsystem in industrial routers, handling of DHCP messages, the Umbrella Connector component, the Flexible NetFlow version 9 packet processor, the IP Service Level Agreement (SLA) responder feature, the multicast DNS (mDNS) feature, the Zone-Based Firewall, and the Split DNS feature.

Two vulnerabilities can allow authenticated attackers with local access to the target devices to execute arbitrary code. One vulnerability can be exploited by an authenticated attacker to access some parts of the user interface they normally should not be able to access.

The most severe issues addressed by Cisco are:

Cisco IOS XE Software Privilege Escalation Vulnerabilities CVE-2020-3141CVE-2020-3425 High 8.8

Cisco IOS XE Software Web UI Authorization Bypass Vulnerability CVE-2020-3400 High 8.8

Many of the vulnerabilities were found by Cisco experts during internal assessment of the software.

Cisco confirmed that it has no evidence that the flaws have been exploited by threat actors in attacks in the wild.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s