Home & Office

Cisco alert: Four high-severity flaws in routers, switches and AnyConnect VPN for Windows

Cisco has disclosed four high-severity flaws, but there are no critical flaws in this month's updates.
Written by Liam Tung, Contributing Writer

Cisco is urging customers to update small business switches, its DNA Center software, routers with its StarOS software, and its AnyConnect Secure Mobility VPN client for Windows. 

Also: The best VPNs in 2020

Cisco has disclosed a bug in the IPv6 packet processing engine of several Cisco Small Business Smart and Managed Switches that could allow a remote attacker without credentials to trigger a denial of service on affected devices. 

Affected switches include 250 Series Smart Switches, 350 Series Managed Switches, 350X Series Stackable Managed Switches, 550X Series Stackable Managed Switches, Small Business 200 Series Smart Switches, Small Business 300 Series Managed Switches, and Small Business 500 Series Stackable Managed Switches. 

SEE: Research: Why Industrial IoT deployments are on the rise (TechRepublic Premium)

While the bug leaves all named switches vulnerable to being rebooted and knocked offline, only four of them have software updates available because some are beyond the end-of-software-maintenance milestone. 

The switches with an update available include 250 Series Smart Switches, 350 Series Managed Switches, 350X Series Stackable Managed Switches, and 550X Series Stackable Managed Switches. 

Cisco says it's not aware of any malicious use of the vulnerability and found it during internal testing. It's given the bug, tracked as CVE-2020-3363, a severity score of 8.6 out of 10. It also notes that the issue only affects IPV6 traffic, not IPv4 traffic.

Certain versions of Cisco's DNA Center network automation software are also vulnerable to a high-severity flaw that could let a remote attacker access sensitive information, including configuration files. It has a severity rating of 7.5. 

The software doesn't handle authentication tokens properly, according to Cisco. This allows an attacker to send a crafted HTTPS request to an affected device. The bug, tracked as CVE-2020-3411, affects all 1.3.x versions of DNA Center software releases prior to 

This bug was also found in internal testing and Cisco is not aware of its use in malicious attacks.  

There's a slightly more serious flaw in the IPv6 implementation of Cisco StarOS. It's being tracked as CVE-2020-3324 and could allow a remote attacker without credentials to cause a denial of service on affected routers. It has a severity rating of 8.6. 

Affected devices include Cisco's ASR 5000 Series Aggregation Services Routers and its Virtualized Packet Core-Single Instance (VPC-SI).

The routers could be attacked if they are running a vulnerable release of Cisco StarOS and have the Vector Packet Processing (VPP) feature enabled. However, VPP is disabled by default. Cisco has details about which releases of StarOS have been fixed in the advisory

Finally, AnyConnect VPN mobility client for Windows has a flaw that can let an authenticated, local attacker perform a dynamic link library (DLL) hijacking attack. If attackers gained valid credentials on the Windows system, they could run malicious code with system-level privileges. 

"An attacker could exploit this vulnerability by sending a crafted IPC message to the AnyConnect process," Cisco explains in the advisory

"A successful exploit could allow the attacker to execute arbitrary code on the affected machine with System privileges. To exploit this vulnerability, the attacker would need to have valid credentials on the Windows system."

SEE: Patch now: Cisco warns of nasty bug in its data center software

Users running Cisco AnyConnect Secure Mobility Client for Windows releases 4.9.00086 and later are not vulnerable. 

This bug doesn't affect the AnyConnect client for macOS, Linux, or the client for iOS, Android, and the Universal Windows Platform. Cisco has given CVE-2020-3433 a severity score of 7.8. 

Cisco lists a further 15 medium-severity flaws on the company's security advisories page

More on Cisco and network security

  • Patch now: Cisco warns of nasty bug in its data center software  
  • Cisco's warning: Critical flaw in IOS routers allows 'complete system compromise'  
  • Cisco warns: These Nexus switches have been hit by a serious security flaw  
  • Cisco: Critical Java flaw strikes 'call center in a box', patch urgently  
  • Cisco: These 12 high-severity bugs in ASA and Firepower security software need patching  
  • Cisco critical bug: Static password in Smart Software Manager – patch now, says Cisco  
  • Cisco: Patch this critical firewall bug in Firepower Management Center  
  • Critical Cisco DCNM flaws: Patch right now as PoC exploits are released  
  • Cisco critical bugs: Nexus data center switch software needs patching now  
  • Cisco: All these routers have the same embedded crypto keys, so update firmware  
  • Cisco: These Wi-Fi access points are easily owned by remote hackers, so patch now  
  • Cisco warning: These routers running IOS have 9.9/10-severity security flaw
  • Patch now: Cisco IOS XE routers exposed to rare 10/10-severity security flaw  
  • Seriously? Cisco put Huawei X.509 certificates and keys into its own switches
  • How to improve cybersecurity for your business: 6 tips TechRepublic
  • New cybersecurity tool lets companies Google their systems for hackers CNET
  • Editorial standards