Cisco has revealed 21 “high” and “medium” severity flaws affecting its widely-deployed networking operating system IOS as well as fixes for a botched patch it issued for small business routers in January that are under attack.
The networking giant released updates for 19 high severity flaws on Wednesday to fix a variety of vulnerabilities in its products that could lead to denial of service, information disclosure, and command injection.
Along with the new security updates, Cisco flagged two "incomplete" updates that were originally released in January to plug serious flaws affecting the web interface of Cisco’s Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers.
One of the flaws, CVE-2019-1653, allowed an unauthenticated remote attacker to obtain configuration files from the device and an administrator’s hashed password, which could be used to log into the router through the web interface.
The second flaw, CVE-2019-1652, allowed an attacker with valid credentials to remotely execute commands on the device.
“The initial fix for this vulnerability was found to be incomplete,” Cisco said in its updated advisories for the two flaws. “Cisco is currently working on a complete fix.”
The company plans to update the advisory once it turns out fixed code. For now it warns that firmware updates aren’t available yet and that there aren’t any workarounds.
The flaw affects routers running on firmware releases 22.214.171.124 and later.
All other newly disclosed high severity flaws detailed in advisories published on Wednesday were found through customers reports or internal testing.
Cisco said it was not aware of any of the bugs being attacked in the wild currently. Details about the flaws can be found on Cisco’s security advisory page.
The company earlier this month warned customers to install February updates that addressed a critical flaw, CVE-2019-1663, affecting the web interface of the Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router.
Cisco said it became aware of networking scanning that appeared to target a remote code execution flaw affecting the web interface of the routers. The potential attacks emerged after a security researcher revealed Cisco had used a notoriously dangerous C function called ‘strcpy’, which exposed devices to a buffer overflow memory vulnerability.