Cisco released security updates to address vulnerabilities in multiple Cisco products where remote attacker take control of an affected system.
In the release, Cisco fixed 45 vulnerabilities, one if which was labeled critical, eight were high and 36 medium.
The critical vulnerability was there were multiple issues in the web-based management interface of Cisco Prime Infrastructure (PI) and Cisco Evolved Programmable Network (EPN) Manager that could allow a remote attacker to gain the ability to execute arbitrary code with elevated privileges on the underlying operating system.
These vulnerabilities affect Cisco PI Software Releases prior to 3.4.1, 3.5, and 3.6, and EPN Manager Releases prior to 3.0.1.
One of these issues, CVE-2019-1821, could end up exploited by an unauthenticated attacker that has network access to the affected administrative interface, Cisco said in its advisory.
The second and third issues, CVE-2019-1822 and CVE-2019-1823, require an attacker have valid credentials to authenticate to the impacted administrative interface.
These vulnerabilities exist because the software improperly validates user-supplied input. An attacker could exploit these vulnerabilities by uploading a malicious file to the administrative web interface. A successful exploit could allow the attacker to execute code with root-level privileges on the underlying operating system, Cisco said.
Cisco released software updates that address these vulnerabilities. In addition, there are no workarounds.
These vulnerabilities are fixed in Cisco PI Software Releases 3.4.1, 3.5, and 3.6, and EPN Manager Release 3.0.1.
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any ongoing attacks.