Grab the Cisco-branded fly-swatter, it’s time for your weekly bug-splat.
Top of the list are four high-severity bugs, in Nexus 9000 switches, security managers, and application policy controllers.
The Nexus 9000 ACI Mode Switch has an issue in its ICMP implementation, remotely exploitable to cause a denial-of-service.
An ICMP packet with IPv4 Type 7 “record route” option is handled improperly, so a crafted packet will force a reload. Since the only workaround is to drop all ICMP packets “and can only be applied when working with the Cisco TAC,” it’s better to apply the patch the company’s released.
The company has patched a privilege escalation bug in its Application Policy Infrastructure Controller, which was vulnerable to an attacker reconfiguring the device using crafted REST commands.
Also vulnerable to privilege escalation: the Cisco ASA-CX and Cisco Prime Security Manager.
This one’s a treat, actually: a password change request isn’t fully qualified, meaning someone in the know could send crafted HTTP requests to change anyone’s password – including the administrator’s.
“All versions of Cisco ASA-CX Content-Aware Security and Cisco PRSM software prior to 188.8.131.52(112) are affected,” the advisory states, so apply the patch.
Other patches announced by Cisco are here. ®
Building secure multi-factor authentication