Cisco CVE

Real time update about Vulnerabilities affecting Cisco Systems

Cisco IOS and IOS XE Software Bidirectional Forwarding Detection Denial of Service Vulnerability

This vulnerability affects the following Cisco products if they are running a vulnerable release of Cisco IOS Software or Cisco IOS XE Software and the BFD feature is enabled:

Catalyst 4500 Supervisor Engine 6-E (K5)
Catalyst 4500 Supervisor Engine 6L-E (K10)
Catalyst 4500 Supervisor Engine 7-E (K10)
Catalyst 4500 Supervisor Engine 7L-E (K10)
Catalyst 4500E Supervisor Engine 8-E (K10)
Catalyst 4500E Supervisor Engine 8L-E (K10)
Catalyst 4500E Supervisor Engine 9-E (K10)
Catalyst 4500-X Series Switches (K10)
Catalyst 4900M Switch (K5)
Catalyst 4948E Ethernet Switch (K5)

This vulnerability can be exploited only if the BFD feature is enabled on an affected device. The BFD feature is enabled by default in Cisco IOS Software and Cisco IOS XE Software if the software is running an IP Base (ipbase) package license or a higher license. The BFD feature is not supported by a LAN Base (lanbase) package license. For more information, see LAN Base, IP Base, and Enterprise Services Image Support.
For information about which Cisco IOS and IOS XE Software releases are vulnerable, see the Fixed Software section of this advisory.
Determining Whether the BFD Feature Is Enabled
To determine whether the BFD feature is enabled on a device, administrators can use the show running-config | include feature bfd command in privileged EXEC mode. The following example shows the output of the show running-config | include feature bfd command on a Cisco Catalyst Switch that has the BFD feature disabled:

switch# show running-config | include feature bfd platform module all feature bfd disable platform module feature bfd disable platform feature bfd disable feature bfd disable

Empty output from the show running-config | include feature bfd command would indicate that the BFD feature is enabled.
Determining Which Package License Is Enabled
To determine which package license is enabled on a device, administrators can use the show license feature command in privileged EXEC mode. The following example shows the output of the show license feature command on a Cisco Catalyst Switch that has the IP Base (ipbase) package license enabled:

C4500# show license feature

Feature name Enforcement Evaluation Clear Allowed Enabled Right…
——————————————————————————
entservices true true true false true
ipbase true false true true false
lanbase false false true false false
internal_service true false true false false

If a software release does not support the show license feature command, administrators can determine which package license is enabled on a device by identifying the type of software image that is currently running on the device. To identify the type of software image that is running on a device, administrators can use the show version | include image command in privileged EXEC mode. The following example shows the output of the show version | include image command on a Cisco Catalyst Switch that is running a software image that has the LAN Base (lanbase) package license enabled:

C4948E# show version | include image

System image file is “bootflash:cat4500e-lanbasek9-mz.151-2.SG3.bin”

Determining the Cisco IOS Software Release
To determine which Cisco IOS Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS Software, the system banner displays text similar to Cisco Internetwork Operating System Software or Cisco IOS Software. The banner also displays the installed image name in parentheses, followed by the Cisco IOS Software release number and release name. Some Cisco devices do not support the show version command or may provide different output.
The following example shows the output of the command for a device that is running Cisco IOS Software Release 15.5(2)T1 and has an installed image name of C2951-UNIVERSALK9-M:

Router > show version

Cisco IOS Software, C2951 Software (C2951-UNIVERSALK9-M), Version 15.5(2)T1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Mon 22-Jun-15 09:32 by prod_rel_team
.
.
.

For information about the naming and numbering conventions for Cisco IOS Software releases, see the Cisco IOS and NX-OS Software Reference Guide.Determining the Cisco IOS XE Software Release
To determine which Cisco IOS XE Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS XE Software, the system banner displays Cisco IOS Software, Cisco IOS XE Software, or similar text.
The following example shows the output of the command for a device that is running Cisco IOS XE Software Release 16.2.1 and has an installed image name of CAT3K_CAA-UNIVERSALK9-M:

ios-xe-device# show version

Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Sun 27-Mar-16 21:47 by mcpre
.
.
.

For information about the naming and numbering conventions for Cisco IOS XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide.

No other Cisco products are currently known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the Cisco Catalyst 4500 Series Supervisor Engine V-10GE (K2) or the Cisco Catalyst 4948 Switch (K2).
Cisco has also confirmed that this vulnerability does not affect Cisco IOS XR Software or Cisco NX-OS Software.

Cisco Webex Player Memory Corruption Vulnerability

When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

Fixed Releases
At the time of publication, Cisco Webex Player releases 41.5 and later contained the fix for this vulnerability. Releases are available from the Cisco Webex Video Recording page or from corresponding Cisco Webex Meetings sites.
See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.

Cisco Firepower Threat Defense Software SSL Decryption Policy Denial of Service Vulnerability

Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.

Fixed Releases
In the following table(s), the left column lists Cisco software releases. The center column indicates whether a release is affected by the vulnerability described in this advisory and the first release that includes the fix for this vulnerability. The right column indicates whether a release is affected by any of the vulnerabilities described in this bundle and which release includes fixes for those vulnerabilities.
FTD Software

Cisco FTD Software Release 
First Fixed Release for This Vulnerability
Recommended Fixed Release for All Vulnerabilities Described in the Bundle of Advisories

Earlier than 6.2.21
Not vulnerable.
Migrate to a fixed release.

6.2.2
Not vulnerable.
Migrate to a fixed release.

6.2.3
Not vulnerable.
Migrate to a fixed release.

6.3.0
Migrate to a fixed release.
Migrate to a fixed release.

6.4.0
Not vulnerable.
6.4.0.12 (May 2021)

6.5.0
Not vulnerable.
Migrate to a fixed release.

6.6.0
Not vulnerable.
6.6.42

6.7.0
Not vulnerable.
6.7.0.2

1. Cisco FMC and FTD Software releases 6.0.1 and earlier, as well as releases 6.2.0 and 6.2.1, have reached end of software maintenance. Customers are advised to migrate to a supported release that includes the fix for this vulnerability.
2. The First Fixed Release for the 6.6.0 code train was 6.6.3; however, due to upgrade issues associated with CSCvx86231 the recommended release is 6.6.4.
To upgrade to a fixed release of Cisco FTD Software, customers can do one of the following:

For devices that are managed by using Cisco Firepower Management Center (FMC), use the FMC interface to install the upgrade. After installation is complete, reapply the access control policy.
For devices that are managed by using Cisco Firepower Device Manager (FDM), use the FDM interface to install the upgrade. After installation is complete, reapply the access control policy.

Lasso SAML Implementation Vulnerability Affecting Cisco Products: June 2021

The following table lists Cisco products that are affected by the vulnerabilities that are described in this advisory. If a future release date is indicated for software, the date provided represents an estimate based on all information known to Cisco as of the Last Updated date at the top of the advisory. Availability dates are subject to change based on a number of factors, including satisfactory testing results and delivery of other priority features and fixes. If no version or date is listed for an affected component (indicated by a blank field and/or an advisory designation of Interim), Cisco is continuing to evaluate the fix and will update the advisory as additional information becomes available. After the advisory is marked Final, customers should refer to the associated Cisco bug(s) for further details.

Product
Cisco Bug ID
Fixed Release Availability

Cisco Adaptive Security Appliance (ASA) SoftwareAffected features: Clientless WebVPN and AnyConnect VPN (only when SSO is enabled)
CSCvx73164
9.8.4.38 (Jun 2021)9.12.4.24 (available)9.14.3 (Jun 2021)9.15.1.15 (available)9.16.1.3 (available)

Cisco Content Security Management Appliance (SMA)Affected feature: Web-based management interface (only when SSO is enabled)
CSCvx73156
13.8.1 (available)14.1.0 (Jul 2021)

Cisco Email Security Appliance (ESA)Affected feature: Web-based management interface (only when SSO is enabled)
CSCvx73154
14.0.0-692 GD (available)

Cisco FXOS Software
CSCvx73164
2.2.2.149 (Jul 2021)2.3.1.216 (Jul 2021)2.6.1.230 (Jul 2021)2.7.1.143 (available)2.8.1.152 (available)2.9.1.143 (available)

Cisco Web Security Appliance (WSA)

CSCvx73157
14.0.1 (Sep 2021)

Cisco Firepower Threat Defense (FTD) SoftwareAffected feature: AnyConnect VPN (only when SSO is enabled)1

CSCvx73164
6.4.0.12 (available)6.6.5 (Jul 2021)6.7.0.2 (available)7.0.0 (available)

Cisco Prime Collaboration Assurance
CSCvx73162
12.1 SP4 ES (TBD)

1. The AnyConnect VPN is configurable only through FlexConfig for Cisco FTD releases earlier than Release 6.7.
The Cisco software releases listed in the following table have reached end of software maintenance. Customers are advised to migrate to a supported release that includes the fix for this vulnerability.

Cisco Software
End-of-Life Releases

ASA Software
9.7 and earlier9.99.109.13

FXOS Software
2.4.12.7.1

FTD Software
6.0.1 and earlier 6.2.06.2.16.5

Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following products and services:
Network and Content Security Devices

Cisco AMP Virtual Private Cloud Appliance

Network Management and Provisioning

Cisco Prime Collaboration Provisioning

Unified Computing

Cisco UCS B-Series M5 Blade Servers
Cisco UCS C-Series M5 Rack Servers – Managed

Video, Streaming, TelePresence, and Transcoding Devices

Cisco Video Surveillance Media Server
Cisco Video Surveillance Operations Manager
Cisco Vision Dynamic Signage Director

Cisco Finesse and Cisco Virtualized Voice Browser OpenSocial Gadget Editor Vulnerabilities

The vulnerabilities are dependent on one another; exploitation of one of the vulnerabilities is required to exploit the other vulnerability.
Details about the vulnerabilities are as follows:

Cisco Finesse and Cisco Virtualized Voice Browser OpenSocial Gadget Editor Unauthenticated Access Vulnerability
A vulnerability in the web management interface of Cisco Finesse and Cisco Virtualized Voice Browser could allow an unauthenticated, remote attacker to access the OpenSocial Gadget Editor without providing valid user credentials.
The vulnerability is due to missing authentication for a specific section of the web-based management interface. An attacker could exploit this vulnerability by accessing a crafted URL. A successful exploit could allow the attacker to obtain access to a section of the interface, which they could use to obtain potentially confidential information and create arbitrary XML files.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

CVE ID: CVE-2021-1246Bug ID(s): CSCvs52916, CSCvw27957Security Impact Rating (SIR): MediumCVSS Base Score: 6.5CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Cisco Finesse OpenSocial Gadget Editor Cross-Site Scripting Vulnerability
A vulnerability in the web-based management interface of Cisco Finesse could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface.
The vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

CVE ID: CVE-2021-1245Bug ID(s): CSCvs52916Security Impact Rating (SIR): MediumCVSS Base Score: 6.1CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Cisco Webex Meetings and Webex Meetings Server Multimedia Sharing Security Bypass Vulnerability

When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

Fixed Releases
Cisco has addressed this vulnerability in Cisco Webex Meetings, which is cloud based. No user action is required. Customers can determine the current remediation status or software version by using the Help function in the service GUI.
At the time of publication, Cisco Webex Meetings Server releases 3.0 MR4 and 4.0 MR4 contained the fix for this vulnerability.
See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.
Customers who need additional information are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

Cisco Webex Meetings, Webex Network Recording Player, and Webex Teams DLL Injection Vulnerability

When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

Fixed Releases
At the time of publication, the release information in the following table(s) was accurate. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.
Customers are advised to upgrade to an appropriate fixed software release as indicated in the following table(s):

Cisco Webex Platform
First Fixed Release

Webex Meetings Desktop App for Windows
41.1.5.1141.2.9.23

Webex Meetings Server
3.0 MR44.0 MR4

Webex Network Recording Player for Windows
41.1.5.1141.2.9.23

Webex Teams for Windows
41.3.0.1898641.4.0.1873741.5.0.18815

Cisco Webex Meetings Client Software Logging Information Disclosure Vulnerability

When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

Fixed Releases
At the time of publication, Cisco Webex Meetings client software releases 41.4 and later contained the fix for this vulnerability.
See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.

Cisco ThousandEyes Recorder Information Disclosure Vulnerability

When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

Fixed Releases
At the time of publication, Cisco ThousandEyes Recorder releases 1.0.5 and later contained the fix for this vulnerability.
See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.

Cisco Video Surveillance 7000 Series IP Cameras Cisco Discovery and Link Layer Discovery Protocol Memory Leak Vulnerabilities

When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

Fixed Releases
At the time of publication, Cisco Video Surveillance 7000 Series IP Cameras firmware releases 2.12.3 and later contained the fix for these vulnerabilities.
To download the firmware updates from the Software Center on Cisco.com, click Browse all, choose Connected Safety and Security > Video Surveillance IP Cameras > Video Surveillance 7000 Series IP Cameras, and then choose the correct camera model.

Cisco SD-WAN Software Privilege Escalation Vulnerability

Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.

Fixed Releases
Customers are advised to upgrade to an appropriate fixed software release as indicated in the following table(s):

Cisco SD-WAN Software Release
First Fixed Release

18.4 and earlier
Not vulnerable

19.2
Not vulnerable

20.1
Not vulnerable

20.3
Not vulnerable

20.4
20.4.2

20.5
20.5.1

Cisco ASR 5000 Series Software Authorization Bypass Vulnerabilities

Cisco has released free software updates that address the vulnerabilities described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.

Fixed Releases
In the following table(s), the left column lists Cisco software releases. The right column indicates whether a release is affected by the vulnerabilities described in this advisory and the first release that includes the fix for these vulnerabilities. Customers are advised to upgrade to an appropriate fixed software release as indicated in this section.

Cisco StarOS Release
First Fixed Release

Earlier than 21.16
Migrate to 21.16.9

21.16
21.16.9

21.17
21.17.10

21.18
21.18.16

21.19
26.19.11

21.19.n
21.19.n7

21.20
21.20.8

21.21 and later
Not vulnerable

Cisco Common Services Platform Collector Command Injection Vulnerability

When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

Fixed Releases
At the time of publication, Cisco CSPC releases 2.9.1 and later contained the fix for this vulnerability.
See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.

Cisco Webex Meetings and Webex Meetings Server File Redirect Vulnerability

When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

Fixed Releases
Cisco has addressed this vulnerability in Cisco Webex Meetings, which is cloud based. No user action is required. Customers can determine the current remediation status or software version by using the Help function in the service GUI.
At the time of publication, Cisco Webex Meetings Server releases 3.0 MR4 and later and 4.0 MR4 and later contained the fix for this vulnerability.
See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.
Customers who need additional information are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

Cisco Webex Network Recording Player and Webex Player Memory Corruption Vulnerability

Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.

Fixed Releases
Cisco fixed this vulnerability in Cisco Webex Network Recording Player and Cisco Webex Player releases 41.2 and later. Releases are available from the Cisco Webex Video Recording page or from corresponding Cisco Webex Meetings sites and servers.
Customers who host Cisco Webex Meetings Server on premises can obtain updated releases of Cisco Webex Network Recording Player from server releases 3.0 MR4 and later and 4.0 MR4 and later.

Cisco Integrated Management Controller Open Redirect Vulnerability

For information about fixed software releases, consult the Cisco bug ID(s) at the top of this advisory.
When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

Fixed Releases
At the time of publication, Cisco IMC Software releases 3.2(12.4) contained the fix for this vulnerability.
At the time of publication, Cisco had not released updates that address this vulnerability for the following Cisco products:

UCS E-Series Blade Servers
UCS Manager Software
UCS S-Series Servers in standalone mode

See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.

Cisco AnyConnect Secure Mobility Client Arbitrary Code Execution Vulnerability

Workarounds that address this vulnerability were introduced in Cisco bug ID CSCvw48062 via new configuration settings. The new settings are available in releases 4.9.04053 and later. Cisco recommends using additional settings that were introduced in Release 4.10.00093 instead of using the settings introduced in 4.9.04053.
The settings introduced in 4.10.00093 allow connections to trusted headends only, without any functionality loss. Additional information about the new settings is in the Recommendations section of this advisory.
Cisco AnyConnect Secure Mobility Client Software Release 4.10.00093
Releases 4.10.00093 and later contain the fix for Cisco bug ID CSCvv30103 with no additional configuration required. See the Recommendations section for additional optional but recommended settings.
Upgrade instructions for systems where workarounds were previously applied
This section is relevant only to customers that had previously applied the workaround settings for releases 4.9.04053, 4.9.05042, or 4.9.06037 or mitigation settings for releases earlier than Release 4.9.04053. If the workarounds or mitigations listed on this advisory were not previously used, use the normal upgrade process. More information about the normal upgrade process is in the Release Notes or Configuration Guide.
The following instructions describe how to upgrade to Release 4.10.00093 and remove the previously applied settings in the AnyConnectLocalPolicy.xml file. This file is in the following locations:

Windows::ProgramDataCiscoCisco AnyConnect Secure Mobility Client
macOS: /opt/cisco/anyconnect/
Linux: /opt/cisco/anyconnect/

AnyConnect Secure Mobility Client Software Release
AnyConnectLocalPolicy.xml Settings
Instructions

Earlier than 4.9.04053

Previously deployed AnyConnectLocalPolicy.xml settings:

BypassDownloader= true

New AnyConnectLocalPolicy.xml settings:

BypassDownloader=false

Upgrade to 4.10 using a predeploy method.
Redistribute the AnyConnectLocalPolicy.xml file with new settings using an out-of-band deployment method.
Apply the new 4.10 settings shown in the Recommendations section.

4.9.04053, 4.9.05042, 4.9.06037

Previously deployed AnyConnectLocalPolicy.xml settings:

RestrictScriptWebDeploy=true
RestrictHelpWebDeploy=true
RestrictResourceWebDeploy=true
RestrictLocalizationWebDeploy=true
BypassDownloader=false

New AnyConnectLocalPolicy.xml settings:

RestrictScriptWebDeploy=false
RestrictHelpWebDeploy=false
RestrictResourceWebDeploy=false
RestrictLocalizationWebDeploy=false
BypassDownloader=false

Upgrade to 4.10 using either a predeploy or webdeploy method.
Redistribute1 the AnyConnectLocalPolicy.xml file with new settings using an out-of-band deployment method.
Apply the new 4.10 settings shown in the Recommendations section.

1. Customers may leave the settings intact for RestrictScriptWebDeploy, RestrictHelpWebDeploy, RestrictResourceWebDeploy, and RestrictLocalizationWebDeploy if the restricted functionality is not required. If these settings remain true, files must be distributed using an out-of-band deployment method.

Cisco AnyConnect Secure Mobility Client Software Releases 4.9.04053, 4.9.05042, and 4.9.06037
For customers who have already applied the RestrictScriptWebDeploy workaround
For customers using Release 4.9.04053, 4.9.05042, or 4.9.06037 who have already applied the RestrictScriptWebDeploy, RestrictHelpWebDeploy, RestrictResourceWebDeploy, RestrictLocalizationWebDeploy workarounds, nothing further needs to be done to help ensure protection against exploitation of this vulnerability.
To restore full functionality to the product, customers should upgrade to Release 4.10.00093 and apply the recommended settings shown in the Recommendations section. After full functionality is restored, customers can once again deploy files from the headend instead of using an out-of-band deployment method.
For customers who cannot upgrade to Release 4.10.00093 or later
For customers using Release 4.9.04053, 4.9.05042, or 4.9.06037 who cannot upgrade to Release 4.10.00093 or later, the recommended workaround for these releases is to edit the AnyConnectLocalPolicy.xml file to set RestrictScriptWebDeploy to true and ensure that BypassDownloader is set to false. The new AnyConnectLocalPolicy.xml file would then be deployed to end machines using an out-of-band method of deployment. 
There are additional configuration settings for releases 4.9.04053, 4.9.05042, and 4.9.06037 that are strongly recommended for increased protection. The full set of custom web-deploy restrictions is listed below. For more details about the new configuration settings and implications of their use, refer to the Release Notes or Cisco bug ID CSCvw48062. These settings would allow profile updates and future software upgrades while helping to protect against exploitation of this vulnerability.

RestrictScriptWebDeploy
RestrictHelpWebDeploy
RestrictResourceWebDeploy
RestrictLocalizationWebDeploy

The following procedure is for editing the policy on a local machine. In most deployment scenarios, the modification would be done to the AnyConnectLocalPolicy.xml file and then deployed to all client machines using an out-of-band method of deployment such as an enterprise software management system. Any modifications to the AnyConnectLocalPolicy.xml file must be done with sudo or admin rights.

Find the AnyConnectLocalPolicy.xml file on the client machine. This file is in the following locations:

Windows::ProgramDataCiscoCisco AnyConnect Secure Mobility Client
macOS:/opt/cisco/anyconnect/
Linux:/opt/cisco/anyconnect/

Open the AnyConnectLocalPolicy.xml file in a text editor and look for the following lines:
false
false
false
false

Change that setting to true, as shown in the following example:
true
true
true
true

Verify that the BypassDownloader setting is correct by looking for the following line:

false

If the BypassDownloader setting is true, change it to false, as shown in the following example:

false

Save the file to the original location. The network paths are noted above.
Restart the VPN Agent service or reboot the client machine.

Cisco AnyConnect Secure Mobility Client Software Earlier than Release 4.9.04053
For customers who have already applied the BypassDownloader mitigation
For customers using releases earlier than Release 4.9.04053 who have already applied the BypassDownloader mitigation, nothing further needs to be done to enable protection against exploitation of this vulnerability. Because this mitigation is not recommended, customers could upgrade to Release 4.10.00093 and apply the recommended settings shown in the Recommendations section.
For customers who cannot upgrade to Release 4.10.00093 or later
For customers using releases earlier than Release 4.9.04053 who cannot upgrade to Release 4.10.00093 or later and/or do not require updated content on the VPN headend device to be downloaded to the client, enabling the BypassDownloader setting is a possible mitigation.
Warning: Changing the BypassDownloader setting is not recommended in most customer environments. If the BypassDownloader is set to true, VPN users could be refused a connection from the VPN headend if their local VPN XML profiles are out of date with what is configured on the VPN headend.
Note: Enabling the BypassDownloader setting can be done only out-of-band on the client devices and has a couple of implications:

All future updates to either Cisco AnyConnect Secure Mobility Client Software or the AnyConnect profile would have to be done out-of-band. AnyConnect will no longer download updated content from the headend device.
AnyConnect profiles would still need to be in sync between the headend device and the client. If the profiles are not in sync, the VPN connection could be established with default settings instead of with settings on the headend or client. The VPN headend could also refuse the connection.

The procedure that follows is for editing the policy on a local machine. In most deployment scenarios, the modification would be done to the AnyConnectLocalPolicy.xml file and then deployed to all client machines using an out-of-band method of deployment such as an enterprise software management system. Any modifications to the AnyConnectLocalPolicy.xml file must be done with sudo or admin rights.

Find the AnyConnectLocalPolicy.xml file on the client machine. This file is in the following locations:

Windows::ProgramDataCiscoCisco AnyConnect Secure Mobility Client
macOS:/opt/cisco/anyconnect/
Linux: /opt/cisco/anyconnect/

Open the AnyConnectLocalPolicy.xml file in a text editor and look for the following line:

false

Change that setting to true, as shown in the following example:

true

Save the file to the original location. The network paths are noted above.
Restart the VPN Agent service or reboot the client machine.

Multiple Cisco Products Snort HTTP Detection Engine File Policy Bypass Vulnerabilities

When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

Fixed Releases
At the time of publication, the release information in the following table(s) was accurate. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.
The left column lists Cisco software releases, and the right column indicates whether a release was affected by the vulnerabilities described in this advisory and which release included the fix for these vulnerabilities.
Cisco FTD Software

Cisco FTD Software Release
First Fixed Release for these Vulnerabilities

Earlier than 6.2.21
Migrate to a fixed release.

6.2.2
Migrate to a fixed release.

6.2.3
Migrate to a fixed release.

6.3.0
Migrate to a fixed release.

6.4.0
6.4.0.12

6.5.0
Migrate to a fixed release.

6.6.0
6.6.42

6.7.0
6.7.0.2

1. Cisco FMC and FTD Software releases 6.0.1 and earlier, as well as releases 6.2.0 and 6.2.1, have reached end of software maintenance. Customers are advised to migrate to a supported release that includes the fix for this vulnerability.

2. The First Fixed Release for the 6.6.0 code train was 6.6.3; however, due to upgrade issues associated with CSCvx86231 the recommended release is 6.6.4.

To upgrade to a fixed release of Cisco FTD Software, do one of the following:

For devices that are managed by using Cisco Firepower Management Center (FMC), use the FMC interface to install the upgrade. After installation is complete, reapply the access control policy.
For devices that are managed by using Cisco Firepower Device Manager (FDM), use the FDM interface to install the upgrade. After installation is complete, reapply the access control policy.

Cisco IOS XE Software and Cisco IOS XE SD-WAN Software

Cisco UTD Snort IPS Engine Software for IOS XE and Cisco UTD Engine for IOS XE SD-WAN Software1
First Fixed Release for these Vulnerabilities

Earlier than 16.12
Migrate to a fixed release.

16.12
16.12.5

17.1
Migrate to a fixed release.

17.2
Migrate to a fixed release.

17.3
17.3.3

17.4
17.4.1

1Starting with release 17.2.1, Cisco IOS XE Software and Cisco IOS XE SD-WAN Software share the same image file.
Open Source Snort
The open source Snort project releases 2.9.17.1 and later contain the fix for these vulnerabilities. For more information on open source Snort, see the Snort website.

Multiple Cisco Products Snort TCP Fast Open File Policy Bypass Vulnerability

While this workaround has been deployed and was proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.
Cisco FTD Software Release 6.7.0
For Cisco FTD Software Release 6.7.0, as a workaround when the Snort 3 configuration option is enabled, an administrator may enable built-in rule 129:2 in the intrusion policy and set the action to Drop instead of Alert.
Use the following steps to verify that the Snort 3 configuration option is enabled. For more details, see the Switching Between Snort 2 and Snort 3 section of the Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager, Version 6.7.

Log in to the Admin Portal for the FTD deployment.
Navigate to Policies  > Intrusion.
Look for the Snort Version line above the table. The current version is the first number in the complete version number. For example, 2.9.17-95 is a Snort 2 version.

Use the following steps to enable rule 129:2. For more details, see the Changing Intrusion Rule Actions (Snort 3) section of the Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager, Version 6.7.

Log in to the Admin Portal for the FTD deployment.
Navigate to Policies  > Intrusion.
Choose any system-provided policy, such as Balanced Security and Connectivity.
Search for rule 129:2.
Check the check box next to the rule to enable it.
Choose Drop from the Action drop-down list.
Add the intrusion policy to a rule in Access control policy.

Cisco NX-OS Software CLI Bypass to Internal Service Vulnerability

Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.

Fixed Releases
No upgrade action is necessary for customers who have already applied a recommended release to address the March 2019 Cisco FXOS and NX-OS Software bundle. See
Cisco Event Response: March 2019 Cisco FXOS and NX-OS Software Security Advisory Bundled Publication for a list of advisories in the bundle.
Customers who have not applied a recommended release to address the March 2019 bundle are advised to upgrade to an appropriate release as indicated in the applicable table in this section. In the following tables, the left column lists Cisco NX-OS Software releases. The right column indicates the first release that includes the fix for this vulnerability.
MDS 9000 Series Multilayer Switches: CSCvi99248

Cisco NX-OS Software Release
First Fixed Release for This Vulnerability

5.2
6.2(25)

6.2
6.2(25)

7.3
8.3(2)

8.1
8.3(2)

8.2
8.3(2)

8.3
8.3(2)

Nexus 3000 Series Switches and Nexus 9000 Series Switches in Standalone NX-OS Mode: CSCvh24771

Cisco NX-OS Software Release
First Fixed Release for This Vulnerability

Prior to 7.0(3)I7
7.0(3)I7(3)

7.0(3)I7
7.0(3)I7(3)

9.2(1)
Not vulnerable

Nexus 3500 Platform Switches: CSCvi99250

Cisco NX-OS Software Release
First Fixed Release for This Vulnerability

Prior to 6.0(2)A8
6.0(2)A8(11) 

6.0(2)A8
6.0(2)A8(11)

7.0(3)
7.0(3)I7(3)

9.2
Not vulnerable

Nexus 3600 Platform Switches and Nexus 9500 R-Series Switching Platform: CSCvi99247

Cisco NX-OS Software Release
First Fixed Release for This Vulnerability

7.0(3)
9.2(1)

9.2
9.2(1)

Nexus 5500, 5600, and 6000 Series Switches: CSCvi99251

Cisco NX-OS Software Release
First Fixed Release for This Vulnerability

Prior to 7.3
7.3(4)N1(1)

7.3
7.3(4)N1(1)

Nexus 7000 and 7700 Series Switches: CSCvi99248

Cisco NX-OS Software Release
First Fixed Release for This Vulnerability

Prior to 6.2
6.2(22)

6.2
6.2(22)

7.2
7.3(3)D1(1)

7.3
7.3(3)D1(1)

8.0
8.2(3)

8.1
8.2(3)

8.2
8.2(3)

8.3
8.3(2)

UCS 6200, 6300, and 6400 Series Fabric Interconnects: CSCvi99252 and CSCvn11851

Cisco NX-OS Software Release
First Fixed Release for This Vulnerability

Prior to 4.0
4.0(1d)

4.0
4.0(1d)

Additional Resources
For help determining the best Cisco NX-OS Software release for a Cisco Nexus Switch, administrators can refer to the following Recommended Releases documents. If a security advisory recommends a later release, Cisco recommends following the advisory guidance.

Cisco MDS Series SwitchesCisco Nexus 1000V for VMware SwitchCisco Nexus 3000 Series and 3500 Series SwitchesCisco Nexus 5000 Series SwitchesCisco Nexus 5500 Platform SwitchesCisco Nexus 6000 Series SwitchesCisco Nexus 7000 Series SwitchesCisco Nexus 9000 Series SwitchesCisco Nexus 9000 Series ACI-Mode Switches
For help determining the best Cisco NX-OS Software release for Cisco UCS, refer to the Recommended Releases documents in the release notes for the device.

Cisco DNA Spaces Connector Command Injection Vulnerabilities

When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

Fixed Releases
At the time of publication, Cisco DNA Spaces: Connector docker software releases 2.0.519 and later contained the fix for these vulnerabilities.
See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.

Cisco Finesse Open Redirect Vulnerability

When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

Fixed Releases
For information about fixed software releases, see the Details section in the bug ID(s) at the top of this advisory.

Cisco Finesse Cross-Site Scripting Vulnerabilities

When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

Fixed Releases
At the time of publication, Cisco Finesse releases 12.6(1) and later contained the fix for these vulnerabilities.
See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.