Cisco has released security updates for high-severity security flaws affecting Webex Teams for Windows, its Identity Services Engine, and Video Surveillance 8000 Series IP Cameras.
In this month's first round of security updates from Cisco, the most serious vulnerability addressed is a remote code-execution (RCE) and denial-of-service (DoS) bug affecting its Video Surveillance 8000 Series IP Cameras.
The flaw, tracked as CVE-2020-3544, has a severity rating of 8.8 out of 10, on par with similar RCE and DoS flaws it disclosed in August[1] affecting the Video Surveillance 8000 Series IP Cameras.
SEE: Security Awareness and Training policy[2] (TechRepublic Premium)
Both sets of vulnerabilities were reported by Qian Chen of Qihoo 360 Nirvan Team and both concern flaws in the Cisco Discovery Protocol, a Layer 2 or data link layer protocol in the Open Systems Interconnection (OSI) networking model.
Similarly, both are due to "missing checks when an IP camera processes a Cisco Discovery Protocol packet".
"An attacker could exploit this vulnerability by sending a malicious Cisco Discovery Protocol packet to an affected device. A successful exploit could allow the attacker to execute code on the affected IP camera or cause it to reload unexpectedly, resulting in a DoS condition," Cisco notes in the new advisory[3].
Any Cisco customers with the product that updated to firmware releases 1.0.9-4 and later after the August advisory should be safe, but customers that didn't update to that release or later will still be vulnerable. There are no workarounds.
The second most severe flaw affects the web management interface of Cisco Identity Services Engine (ISE) and occurs because the interface doesn't properly enforce role-based access control.
The bug, tagged as CVE-2020-3467, has a severity rating of 7.7 out of