Cisco has addressed multiple vulnerabilities in its products, including high-risk flaws in Webex Player, SD-WAN software, and ASR 5000 series software.
The IT giant fixed three high-severity vulnerabilities (CVE-2021-1503, CVE-2021-1526, CVE-2021-1502) affecting Webex Player for Windows and macOS. Both CVE-2021-1502, CVE-2021-1503 are memory corruption vulnerabilities that impact the Webex Network Recording Player and Webex Player releases 41.4 and later.
“A vulnerability in Cisco Webex Network Recording Player for Windows and MacOS and Cisco Webex Player for Windows and MacOS could allow an attacker to execute arbitrary code on an affected system.” reads the advisory for CVE-2021-1503 published by CISCO. “This vulnerability is due to insufficient validation of values in Webex recording files that are in either Advanced Recording Format (ARF) or Webex Recording Format (WRF). An attacker could exploit this vulnerability by sending a user a malicious ARF or WRF file through a link or email attachment and persuading the user to open the file with the affected software on the local system.”
The CVE-2021-1526 is a memory corruption issue that attackers could exploit to execute arbitrary code on an affected system. The flaw could be exploited through rigged Webex Recording Format (WRF) files.
The vulnerability affects Cisco Webex Player for Windows and MacOS and could be exploited to execute arbitrary code on a vulnerable system.
“This vulnerability is due to insufficient validation of values in Webex recording files that are in Webex Recording Format (WRF). An attacker could exploit this vulnerability by sending a user a malicious WRF file through a link or email attachment and persuading the user to open the file with the affected software on the local system. A successful exploit could allow the attacker to execute arbitrary code on the affected system with the privileges of the targeted user.” reads the advisory.
The company also addressed a high risk vulnerability, tracked as CVE-2021-1528, in SD-WAN software. An attacker could exploit the vulnerability to gain elevated privileges on a vulnerable system.
The flaw affects SD-WAN versions 20.4 and 20.5 (vBond Orchestrator, vEdge Cloud and vEdge Routers, vManage, and vSmart Controller).
Cisco also patched two authorization bypass issues, tracked as CVE-2021-1539 and CVE-2021-1540, in ASR 5000 series software (StarOS) that could allow attackers to bypass authorization and execute CLI commands on an affected machine.
Follow me on Twitter: @securityaffairs and Facebook
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, Cisco)
[adrotate banner=”5″]
[adrotate banner=”13″]