Security Advisory

Cisco Family September 2024 First Security Update Advisory

  • Sep 12 2024

Overview

 

Cisco(https://www.cisco.com) has released a security update that fixes vulnerabilities in products it has been made. Users of affected systems are advised to update to the latest version.

 

Affected Products

 

Cisco ConfD

Cisco IOS XR Software

 

Resolved Vulnerabilities

 

Vulnerability in Cisco IOS XR Software due to insufficient data validation, allowing elevation of privilege to administrator level (CVE-2024-20398, CVSS 8.8) [1]

Vulnerability in Cisco ConfD, Cisco IOS XR Software due to insufficient authorization settings, which could allow unauthorized modification of the configuration of an affected application or device (CVE-2024-20381, CVSS 8.8) [2]

Vulnerability in Cisco IOS XR Software to deplete incoming UDP packet memory due to Mtrace2 code not properly handling packet memory (CVE-2024-20304, CVSS 8.6) [3]

Vulnerability in Cisco IOS XR Software to view mongodb credentials on devices running Cisco IOS XR Software due to improper storage of unencrypted database credentials (CVE-2024-20489, CVSS 8.4) [4]

Vulnerability in Cisco IOS XR Software that could cause control plane protocol relationships to fail due to incorrect classification of certain types of Ethernet frames received on an interface (CVE-2024-20317, CVSS 7.4) [5]

Vulnerability in Cisco IOS XR Software due to insufficient validation of input values, causing is-is processes to crash and restart on all affected devices participating in the flexible algorithm (CVE-2024-20406, CVSS 7.4) [6]

Vulnerability in Cisco IOS XR Software due to lack of data validation, which could allow arbitrary command execution with administrator privileges (CVE-2024-20483, CVSS 7.2) [7]

Vulnerability in Cisco IOS XR Software due to incorrect validation of arguments passed to certain CLI commands, which could allow an attacker to access files in read-only mode on Linux file systems (CVE-2024-20343, CVSS 5.5) [8]

Vulnerability in Cisco IOS XR Software due to lack of proper error validation of incoming XML packets, which could cause xml tcp port 38751 to become inaccessible while attack traffic persists (CVE-2024-20390, CVSS 5.3) [9]

 

Vulnerability Patches

 

Product-specific Vulnerability Patches were made available in the 09/11/2024 update. Please refer to the ‘Affected Products’ and ‘Fixed Software’ in the product-specific information in the Referenced Sites below to apply the patches.

 

Referenced Sites

 

[1] Cisco IOS XR Software CLI Privilege Escalation Vulnerability

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-priv-esc-CrG5vhCq

[2] Multiple Cisco Products Web-Based Management Interface Privilege Escalation Vulnerability

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nso-auth-bypass-QnTEesp

[3] Cisco IOS XR Software UDP Packet Memory Exhaustion Vulnerability

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-pak-mem-exhst-3ke9FeFy

[4] Cisco Routed Passive Optical Network Controller Vulnerabilities

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-ponctlr-ci-OHcHmsFL

[5] Cisco IOS XR Software Network Convergence System Denial of Service Vulnerability

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-l2services-2mvHdNuC

[6] Cisco IOS XR Software Segment Routing for Intermediate System-to-Intermediate System Denial of Service Vulnerability

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-isis-xehpbVNe

[7] Cisco Routed Passive Optical Network Controller Vulnerabilities

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-ponctlr-ci-OHcHmsFL

[8] Cisco IOS XR Software CLI Arbitrary File Read Vulnerability

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-shellutil-HCb278wD

[9] Cisco IOS XR Software Dedicated XML Agent TCP Denial of Service Vulnerability

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-xml-tcpdos-ZEXvrU2S

Tags:

Previous Post

Next Post