Cisco plugs scores of flaws IOS and warns old router patch was 'incomplete'

Cisco has revealed 21 “high” and “medium” severity flaws affecting its widely-deployed networking operating system IOS as well as fixes for a botched patch it issued for small business routers in January that are under attack.

The networking giant released updates for 19 high severity flaws on Wednesday to fix a variety of vulnerabilities in its products that could lead to denial of service, information disclosure, and command injection.

Along with the new security updates, Cisco flagged two "incomplete" updates that were originallyreleased in January to plug serious flaws affecting the web interface of Cisco’sSmall Business RV320 and RV325 Dual Gigabit WAN VPN Routers.

One of the flaws, CVE-2019-1653, allowed an unauthenticated remote attacker to obtain configuration files from the device and an administrator’s hashed password, which could be used to log into the router through the web interface.

The second flaw, CVE-2019-1652, allowed an attacker with valid credentials to remotely execute commands on the device.

Cisco notes of the two flaws that it “is aware of the existence of public exploit code, as well as active network scanning targeting the vulnerability that is described in this advisory.”

“The initial fix for this vulnerability was found to be incomplete,” Cisco said in its updated advisories for the two flaws. “Cisco is currently working on a complete fix.”

The company plans to update the advisory once it turns out fixed code. For now it warns that firmware updates aren’t available yet and that there aren’t any workarounds.

The flaw affects routers running on firmware releases 1.4.2.15 and later.

All other newly disclosed high severity flaws detailed in advisories published on Wednesday were found through customers reports or internal testing.

Cisco said it was not aware of any of the bugs being attacked in the wild currently. Details about the flaws can be found on Cisco’s security advisory page.

The company earlier this month warned customers to install February updates that addressed a critical flaw, CVE-2019-1663, affecting the web interface of the CiscoRV110W Wireless-N VPN Firewall, CiscoRV130W Wireless-N Multifunction VPN Router, and CiscoRV215W Wireless-N VPN Router.

Cisco said it became aware of networking scanning that appeared to target a remote code execution flaw affecting the web interface of the routers. The potential attacks emerged after a security researcher revealed Cisco had used a notoriously dangerous C function called ‘strcpy’, which exposed devices to a buffer overflow memory vulnerability.

Copyright © 2019 IDG Communications, Inc.

The 10 most powerful cybersecurity companies