Cisco released security updates to address vulnerabilities in multiple products where a remote attacker could exploit them and take control of an affected system.
In all Cisco updated nine vulnerabilities, one of which was labeled critical, three were high and five were medium.
The vulnerability rated critical was Cisco Vision Dynamic Signage Director REST API Authentication Bypass Vulnerability.
The issue lies in the REST API interface and could allow an unauthenticated, remote attacker to bypass authentication on an affected system.
The vulnerability is due to insufficient validation of HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected system. A successful exploit could allow the attacker to execute arbitrary actions through the REST API with administrative privileges on the affected system.
The REST API is enabled by default and cannot be disabled.
Cisco released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
Click here to view the entire advisory.
In addition, there is a vulnerability rated high in the Cisco FindIT Network Management Software virtual machine (VM) images could allow an unauthenticated, local attacker who has access to the VM console to log in to the device with a static account that has root privileges.
The vulnerability is due to the presence of an account with static credentials in the underlying Linux operating system. An attacker could exploit this vulnerability by logging in to the command line of the affected VM with the static account. A successful exploit could allow the attacker to log in with root-level privileges.
Cisco released software updates that address this vulnerability, according to the advisory. In addition, there are workarounds that address this vulnerability.
In the workaround, administrators may issue the following command at a shell prompt on the local VM, disabling access to the root account: > sudo passwd -dl root
Also, click here to view the remaining issues.