The IT and networking giant Cisco has outlined multiple vulnerabilities in its Webex, SD-WAN, and ASR 5000 devices, that could potentially allow an arbitrary code execution by the attackers for the legitimate reason.
Although Cisco has provided patches for a wide range of vulnerabilities, particularly updates for high-risk issues in the widely used Webex Player, SD-WAN, and ASR 5000 Series.
A total of three flaws of high severity ( CVSS score of 7.8 ) have been addressed and patched for Windows and macOS in Webex Player, two of those also compromise the operating systems' Webex Network Recording Player.
The first bug, CVE-2021-1526, is a problem of memory degradation that can be exploited by arbitrary code on a vulnerable computer. Manipulated Webex Recording Format(WRF) files could misuse the vulnerabilities.
The problem affects the Cisco Webex Player for Windows and macOS launches before the 41.5 version of it but does not influence the Webex Network Recording Player.
Memory corruption problems that harm both the Webex Network Recording Player and Webex Player are indeed the following two vulnerabilities - the CVE-2021-1502 and the CVE-2021-1503 - on Windows and macOS both.
Both can be used to arbitrarily execute code on the system concerned.
Both of these issues are resolved in version 41.4 of Webex player and Webex Network Recording Player.
In addition, recently, Cisco issued updates for SD-WAN software CVE-2021-1528 a high risk (CVSS score of 7.8), that might be used to get high privileges on a vulnerable server.
This bug affects the SD-WAN versions 20.4 and 20.5 (vBond Orchestrator, vEdge Cloud, and vEdge Routers and vManage, vSmart Controller) but has been addressed with version 20.4.2 and 20.5.1 of SD-WAN.
Cisco has also issued updates that might be leveraged to bypass permission and execute CLI commands on a damaged computer for several vulnerabilities in the ASR 5000 Series Software (StarOS). CVE 2021-1539 is the most significant of these defects (CVSS score of 8.1).
Cisco urges consumers to upgrade to each product's patched versions as soon as possible. Furthermore, the corporation emphasizes that it is not known that these vulnerabilities are exploited in attacks.
Cisco has also released information on other medium-risk vulnerabilities affecting its portfolio of different products, including Webex Meetings, Webex Player, ThousandEyes Recorder, IP cameras Video Surveillance 7000, and Common Services Platform Collector (CSPC).
The Company also highlighted that several vulnerabilities detected in the frame aggregation and fragmentation features following 802.11 standards have affected several of its products. An attacker could easily misuse such defects to forge encrypted frameworks and to exfiltrate sensitive device data.