Cisco warns customers of critical security flaws, advisory includes Apache Struts

The massive security update includes a patch for the recently-disclosed Apache bug -- but not all products will be fixed yet.
Written by Charlie Osborne, Contributing Writer

Cisco has issued a security advisory to customers detailing a swathe of critical and highly-rated vulnerabilities which have been resolved.

The security advisory documents three critical vulnerabilities, 19 bugs rated "important," and a number of medium-severity security flaws.

One of the most serious bugs is a vulnerability impacting Apache Struts 2, which was publicly disclosed in August together with proof-of-concept (PoC) code.

If exploited, the security flaw, CVE-2018-11776 , permits attackers to remotely execute code due to insufficient validation of user input. According to Cisco, only one patch for one product has been issued so far to protect against the Apache bug.

Other products will receive fixes over the course of this month.


"Vulnerable products marked with an asterisk contain an affected Struts library, but due to how the library is used within the product, these products are not vulnerable to any of the exploitation vectors known to Cisco at the time of publication," the company added.

See also: Cryptojacking campaign exploiting Apache Struts 2 flaw kills off the competition

Another critical security flaw which has been tackled in this update is CVE-2018-0423, a vulnerability present in the web-based management interface of the Cisco RV110W Wireless-N VPN firewall, Cisco RV130W Wireless-N Multifunction VPN router, and Cisco RV215W Wireless-N VPN router.

The bug has been caused by improper boundary restrictions on user-supplied input in the "Guest" user feature. By sending crafted, malicious code, threat actors can trigger a buffer overflow condition.

See also: This malware disguises itself as bank security to raid your account

If exploited, attackers cause a denial-of-service (DoS) condition without the need for authentication, as well as execute arbitrary code.

The final critical vulnerability is CVE-2018-0435, which impacts the cloud security platform Cisco Umbrella.

Due to insufficient authentication configurations in the platform's API, authenticated, remote attackers are able to view and modify data across a corporate network -- as well as other organizations.

TechRepublic: Timehop breach illustrates need for multi-factor authentication

Critical Start's Section 8 cybersecurity team reported CVE-2018-0437 and CVE-2018-0438, two privilege escalation flaws in the enterprise platform.

The tech giant also resolved a range of vulnerabilities impacting the Webex Meetings Client, the SD-WAN solution certifications platform, the Data Center network manager and Tetration, among others.

The security flaws included Windows-based privilege escalation bugs, information leaks, command injection flaws, and cross-site scripting (XSS) vulnerabilities.

CNET: Huawei, ZTE get called out during Senate hearing on Facebook, Twitter

In March, Cisco patched a critical flaw in switch deployment software which exposed at least 8.5 million switches to exploit.

The vulnerability, CVE-2018-0171, affected the Smart Install Cisco client and enabled remote attackers to execute arbitrary code.

North Korea's history of bold cyber attacks

Previous and related coverage

Editorial standards