Cisco found something in its own product that had several vulnerabilities. For this reason, Cisco informed its users regarding the vulnerabilities as well as a code execution flaw. Cisco also classified these vulnerabilities as “high severity” which means that the flaw is a severe one and needs to be fixed urgently. Cisco says that the vulnerabilities were found in the company’s Industrial Network Director product.
Talking about the Industrial Network Director product, it is designed to manage industrial works and allow operations teams to gain visibility of their automation network. Now, these vulnerabilities were found by Cisco in its internal security testing by their employees.
Specifically, there were three types of vulnerabilities found in the product. These were the CVE-2019-1861 which is the most severe with a CVSS score of 7.2 which is pretty high for a flaw.
Cisco’s advisory says that exploitation of CVE-2019-1861 requires the attacker to authenticate targeted system with admin privileges and upload malicious files which can be dangerous. If this action is performed when the attacker will be able to execute arbitrary code with admin privileges.
That being said, Cisco has already patched this security loophole with the release of version 1.6.0 which means that the threat is no longer there. At the same time, all the versions before 1.6.0 are affected.
The company seems to have not had a great time this week as it revealed another security vulnerability. This vulnerability was disclosed by Cisco in its BIOS upgrade utility which is needed for its C-Series Rack Servers.
With the help of this vulnerability, local and authenticated attackers can install malicious BIOS on devices which are affected due to insufficient validation of firmware images. For this vulnerability, Cisco has not released any patch as of now. However, we should expect to see this vulnerability to be patched soon.