Cisco Patches 67 High-Severity CVEs
Cisco recently patched multiple high-severity flaws linked to 67 CVEs this past Wednesday. This included flaws found in Cisco’s AnyConnect Security Mobility Client, and Cisco RV110W, RV120, RV130W, and RV215W small business routers. One flaw in Cisco’s smart WIFI solution for retailers would have allowed a remote attacker to alter the password for any account user on the affected system.
This flaw affects Cisco Connected Mobile Experiences (CMX), a piece of software that is utilized by retailers to provide business insights or on-site customer experience analytics. The solution uses the Cisco wireless infrastructure to collect a treasure trove of data from the retailer’s Wi-Fi network, including real-time customer-location tracking.
The vulnerability (CVE-2021-1144) is due to incorrect handling of authorization checks for changing a password. The flaw ranks 8.8 out of 10 on the CVSS vulnerability-severity scale, making it high severity. Of note, to exploit the flaw, an attacker must have an authenticated CMX account – but would not need administrative privileges.
Another high-severity flaw (CVE-2021-1237) exists in the Cisco AnyConnect Secure Mobility Client for Windows. AnyConnect Secure Mobility Client, a modular endpoint software product, provides a wide range of security services (such as remote access, web security features and roaming protection) for endpoints.
The flaw allows attackers, if they are authenticated and local, to perform a dynamic-link library (DLL) injection attack. To exploit this vulnerability, the attacker would need to have valid credentials on the Windows system.
Sixty of the CVEs exist in in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W and RV215W routers. These flaws could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly.
It’s important to note, Cisco has said it would not release software updates for the Cisco Small Business RV110W, RV130, RV130W and RV215W routers, as they have reached end of life.
Sources: