Cisco released security updates for 2 severe vulnerabilities that affected Cisco wireless VPN, Firewall and Cisco Webex Meetings Desktop App.
First one is a remote command execution vulnerability that has been marked as “Critical” and another one is local Command Injection Vulnerability which is marked as “high” severity.
Remote Command Execution Vulnerability CVE-2019-1663 affected Cisco RV110W, RV130W, and RV215W Routers Wireless-N VPN and Firewall management interface allows remote attacker to execute arbitrary code on an vulnerable device.
Another local command injection vulnerability CVE-2019-1674 that affected Cisco Webex Meetings Desktop App and Cisco Webex Productivity Tools allow local attackers to execute arbitrary commands as a privileged user.
Remote command execution flaw affected the Cisco Wireless VPN & Firewall based routers due to improper validation of user-supplied data in the web-based management interface.
- RV110W Wireless-N VPN Firewall
- RV130W Wireless-N Multifunction VPN Router
- RV215W Wireless-N VPN Router
Remote attackers exploit this vulnerability by sending malicious HTTP requests to a targeted device and gained the complete control of the
affected device with high priviledge.
Another local command injection vulnerability affects all Cisco Webex Meetings Desktop App releases prior to 33.6.6, and Cisco Webex Productivity Tools Releases 32.6.0 and later prior to 33.0.7.
This Webex vulnerability is due to insufficient validation of user-supplied parameters. An attacker could exploit this vulnerability by invoking the update service command with a crafted argument.
First Vulnerability reported by Yu Zhang and Haoliang Lu at the GeekPwn conference and another local command injection flaw reported by
Marcos Accossatto of SecureAuth.
Cisco advised users to immediately apply these patches immediately to keep the network safe and secure.