A few of the more critical problems were CVE-2020-3187, a vulnerability in the web services interface in both products that could allow an unauthenticated, remote attacker to conduct directory traversal attacks and obtain read and delete access to sensitive files.
CVE-2020-3298 and CVE-2020-3298 also affect both products. It is a vulnerability in the Open Shortest Path First implementation that could allow an unauthenticated, remote attacker to cause the reload of an affected device, resulting in a denial of service condition.
Multiple vulnerabilities in the Media Gateway Control Protocol inspection feature in the two products are covered by CVE-2020-3254. The vulnerabilities are due to inefficient memory management. An attacker could exploit these vulnerabilities by sending crafted MGCP packets through an affected device. An exploit could allow an attacker to cause memory exhaustion resulting in a restart of an affected device, causing a DoS condition for traffic traversing the device.
This article was first published in SC US.