Latest Security vulnerabilities in Cisco products

Barnstable Overview :

Cisco IOS XE Software NAT Session Initiation Protocol Application Layer Gateway Denial of Service Vulnerability

Chennai CWE-399/ CVE-2019-12646

A vulnerability in the Network Address Translation (NAT) Session Initiation Protocol (SIP) Application Layer Gateway (ALG) of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload.

Cisco Catalyst 4000 Series Switches TCP Denial of Service Vulnerability

CWE-399/ CVE-2019-12652

A vulnerability in the ingress packet processing function of Cisco IOS Software for Cisco Catalyst 4000 Series Switches could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

Cisco IOx for IOS Software Guest Operating System Unauthorized Access Vulnerability

CWE-284/ CVE-2019-12648

A vulnerability in the IOx application environment for Cisco IOS Software could allow an authenticated, remote attacker to gain unauthorized access to the Guest Operating System (Guest OS) running on an affected device.

Cisco IOS XE Software Web UI Command Injection Vulnerabilities

CWE-77 / CVE-2019-12650, 12651

Multiple vulnerabilities in the web-based user interface (Web UI) of Cisco IOS XE Software could allow an authenticated, remote attacker to execute commands with elevated privileges on the affected device.

Cisco IOS and IOS XE Software Session Initiation Protocol Denial of Service Vulnerability

CWE-476 / CVE-2019-12654

A vulnerability in the common Session Initiation Protocol (SIP) library of Cisco IOS and IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition.

Cisco IOS XE Software Raw Socket Transport Denial of Service Vulnerability

CWE-20 / CVE-2019-12653

A vulnerability in the Raw Socket Transport feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition.

Cisco IOS XE Software Filesystem Exhaustion Denial of Service Vulnerability

CWE-400 / CVE-2019-12658

A vulnerability in the filesystem resource management code of Cisco IOS XE Software could allow an unauthenticated, remote attacker to exhaust filesystem resources on an affected device and cause a denial of service (DoS) condition.

Cisco IOx Application Environment Denial of Service Vulnerability

CWE-20 / CVE-2019-12656

A vulnerability in the IOx application environment of multiple Cisco platforms could allow an unauthenticated, remote attacker to cause the IOx web server to stop processing HTTPS requests, resulting in a denial of service (DoS) condition.

Cisco IOS XE Software FTP Application Layer Gateway for NAT, NAT64, and ZBFW Denial of Service Vulnerability

CWE-20 / CVE-2019-12655

A vulnerability in the FTP application layer gateway (ALG) functionality used by Network Address Translation (NAT), NAT IPv6 to IPv4 (NAT64), and the Zone-Based Policy Firewall (ZBFW) in Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload.

Cisco IOS XE Software Unified Threat Defense Denial of Service Vulnerability

CWE-20 / CVE-2019-12657

A vulnerability in Unified Threat Defense (UTD) in Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload.

Cisco IOS XE Software Digital Signature Verification Bypass Vulnerability

CWE-347 / CVE-2019-12649

A vulnerability in the Image Verification feature of Cisco IOS XE Software could allow an authenticated, local attacker to install and boot a malicious software image or execute unsigned binaries on an affected device.

Cisco IOS and IOS XE Software IP Ident Denial of Service Vulnerability

CWE-476 / CVE-2019-12647

A vulnerability in the Ident protocol handler of Cisco IOS and IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload.

Cisco IOS XE Software Stored Cross-Site Scripting Vulnerability

CWE-79 / CVE-2019-12667

A vulnerability in the web framework code of Cisco IOS XE Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web interface of the affected software.

Cisco IOS XR Software for Cisco ASR 9000 VMAN CLI Privilege Escalation Vulnerability

CWE-78 / CVE-2019-12709

A vulnerability in a CLI command related to the virtualization manager (VMAN) in Cisco IOS XR Software for Cisco ASR 9000 Series Aggregation Services Routers could allow an authenticated, local attacker to execute arbitrary commands on the underlying Linux operating system with root privileges.

Cisco IOS XE Software Virtualization Manager CLI Command Injection Vulnerability

CWE-77 / CVE-2019-12661

A vulnerability in a Virtualization Manager (VMAN) related CLI command of Cisco IOS XE Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying Linux operating system with a privilege level of root.

Cisco NX-OS and IOS XE Software Virtual Service Image Signature Bypass Vulnerability

CWE-347 / CVE-2019-12662

A vulnerability in Cisco NX-OS Software and Cisco IOS XE Software could allow an authenticated, local attacker with valid administrator or privilege level 15 credentials to load a virtual service image and bypass signature verification on an affected device.

Cisco IOS and IOS XE Software Change of Authorization Denial of Service Vulnerability

CWE-20 / CVE-2019-12669

A vulnerability in the RADIUS Change of Authorization (CoA) code of Cisco TrustSec, a feature within Cisco IOS XE Software, could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

Cisco IOS and IOS XE Software Stored Banner Cross-Site Scripting Vulnerability

CWE-79 / CVE-2019-12668

A vulnerability in the web framework code of Cisco IOS and Cisco IOS XE Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web interface of the affected software using the banner parameter.

Cisco NX-OS Software Virtualization Manager Command Injection Vulnerability

CWE-78 / CVE-2019-12717

A vulnerability in a CLI command related to the virtualization manager (VMAN) in Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying Linux operating system with root privileges.

Cisco IOS XE Software ISDN Data Leak Vulnerability

CWE-200 / CVE-2019-12664

A vulnerability in the Dialer interface feature for ISDN connections in Cisco IOS XE Software for Cisco 4000 Series Integrated Services Routers (ISRs) could allow an unauthenticated, adjacent attacker topass IPv4 traffic through an ISDN channel prior to successful PPP authentication.

Cisco IOS XE Software IOx Guest Shell Namespace Protection Vulnerability

CWE-284 / CVE-2019-12670

A vulnerability in the filesystem of Cisco IOS XE Software could allow an authenticated, local attacker within the IOx Guest Shell to modify the namespace container protections on an affected device.

Cisco IOS XE Software Consent Token Bypass Vulnerability

CWE-285 / CVE-2019-12671

A vulnerability in the CLI of Cisco IOS XE Software could allow an authenticated, local attacker to gain shell access on an affected device and execute commands on the underlying operating system (OS).

Cisco IOS XE Software Arbitrary Code Execution Vulnerability

CWE-59 / CVE-2019-12672

A vulnerability in the filesystem of Cisco IOS XE Software could allow an authenticated, local attacker with physical access to an affected device to execute arbitrary code on the underlying operating system (OS) with root privileges.

Cisco IOS XE Software HTTP Server Denial of Service Vulnerability

CWE-399 / CVE-2019-12659

A vulnerability in the HTTP server code of Cisco IOS XE Software couldallow an unauthenticated, remote attacker to cause the HTTP server to crash.Thevulnerability is due to a logical error in the logging mechanism.

Cisco IOS and IOS XE Software HTTP Client Information Disclosure Vulnerability

CWE-399 / CVE-2019-12665

A vulnerability in the HTTP client feature of Cisco IOS and IOS XE Software could allow an unauthenticated, remote attacker to read and modify data that should normally have been sent via an encrypted channel.

Cisco IOS XE Software Path Traversal Vulnerability

CWE-22 / CVE-2019-12666

A vulnerability in the Guest Shell of Cisco IOS XE Software could allow an authenticated, local attacker to perform directory traversal on the base Linux operating system of Cisco IOS XE Software.The vulnerability is due to incomplete validation of certain commands.

Cisco IOS XE Software TrustSec Protected Access Credential Provisioning Denial of Service Vulnerability

CWE-20 / CVE-2019-12663

A vulnerability in the Cisco TrustSec (CTS) Protected Access Credential (PAC) provisioning module of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device, resulting in a denial of service (DoS) condition.

Cisco IOS XE Software ASIC Register Write Vulnerability

CWE-668 / CVE-2019-12660

A vulnerability in the CLI of Cisco IOS XE Software could allow an authenticated, local attacker to write values to the underlying memory of an affected device.The vulnerability is due to improper input validation and authorization of specific commands that a user can execute within the CLI.