SME routers and Webex vulns lanced by patch batch

Cisco has released a bumper batch of security updates to address vulnerabilities in multiple products from the networking giant.

The bugs vary in severity, but some have the potential to allow attackers to inject malware onto affected systems.

Among the worst of the batch are arbitrary code execution vulnerabilities affecting Cisco Webex Player, a popular media player and video conferencing app.

“The vulnerabilities exist due to insufficient validation of certain elements with a Webex recording stored in either the Advanced Recording Format (ARF) or the Webex Recording Format (WRF),” Cisco explains in an advisory.

“An attacker could exploit these vulnerabilities by sending a user a malicious ARF or WRF file through a link or email attachment and persuading the user to open the file with the affected software on the local system.”

Another high severity bug affects Cisco Prime Infrastructure and Evolved Programmable Network Manager, leaving unpatched versions of the technology vulnerable to a remote code execution (RCE) vulnerability.

Router bugs

Yet another candidate for prompt triage is a command injection vulnerability affecting a range of Cisco small business-focused routers.

“A vulnerability in the web-based management interface of certain Cisco Small Business RV Series Routers could allow an authenticated, remote attacker with administrative privileges to inject arbitrary commands into the underlying operating system,” Cisco explains in a security alert.

“When processed, the commands will be executed with root privileges. The vulnerability is due to insufficient validation of user-supplied input.”

A vulnerability in the web-based management interface of certain Cisco Small Business RV Series routers presents a similar arbitrary command execution vulnerability risk.

Embedded encryption

Separately, Cisco warned that several routers aimed at small businesses have the same embedded encryption keys. Left unaddressed, the security weakness makes it easier for hackers to gain privileged access to vulnerable devices.

Kevin Bocek, vice president of security strategy and threat intelligence at certificate management firm Venafi, commented: “Security researchers discovered that the same keys and certificates, which act as machine identities and control access to sensitive data, were embedded in several routers.

“This oversight makes it much easier for attackers to impersonate trusted machines or gain unauthorized, privileged access to these devices.

“It’s unfortunate that many organizations still haven’t realized how important machine identities are to security. For example, it would be unthinkable for an organization to use the same default password on multiple machines but similar missteps with keys and certificates are increasingly common,” he added.

Cisco’s Security Advisories webpage has the full details on these and other lesser bugs, several of which revolve around denial of service or system crashing risks.