Cisco has released 28 security advisories, in the process addressing a total of 30 vulnerabilities, including a critical unauthorised access bug found in the company’s Cisco Aironet Access Points (APs) software.
Officially designated CVE-2019-15260, the flaw potentially can be exploited to view sensitive information, interfere with configuration options and disable the AP, in order to create a denial of service condition for clients associated with the AP.
According to Cisco’s advisory, the flaw is the result of inadequate access control for certain URLs. "An attacker could exploit this vulnerability by requesting specific URLs from an affected AP. An exploit could allow the attacker to gain access to the device with elevated privileges," the advisory states. "While the attacker would not be granted access to all possible configuration options, it could allow the attacker to view sensitive information and replace some options with values of their choosing, including wireless network configuration."
Cisco has released a software updates to fix affected products, which were identified as the Aironet 1540 Series, Aironet 1560 Series, Aironet 1800 Series, Aironet 2800 Series, Aironet 3800 Series and Aironet 4800.
Cisco’s latest round of advisories also included six high-level vulnerabilities, found in the Wireless LAN Controller, SPA100 Series Analog Telephone Adapters, Small Business Smart and Managed Switches and Aironet.
Products found to contain medium-level bugs included the Wireless LAN Controller, Expressway Series and TelePresence Video Communication Server, TelePresence Collaboration Endpoint Software, SPA100 Series Analog Telephone Adapters, SPA122 ATA with Router Devices, Small Business Smart and Managed Switches, Identity Services Engine, Firepower Management Center and Aironet.
The original version of this article was published on SC Media US.