Cisco released security updates to address vulnerabilities in multiple products where a remote attacker could exploit some of these vulnerabilities to take control of an affected system.
One vulnerability Cisco updated, and was rated with high severity, is with the Industrial Network Director, which could allow an authenticated, remote attacker to execute arbitrary code.
The vulnerability is in software releases prior to 1.6.0 and it is due to improper validation of files uploaded to the affected application. An attacker could exploit this vulnerability by authenticating to the affected system using administrator privileges and uploading an arbitrary file. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges.
Cisco released software updates that address this vulnerability. However, there are no workarounds that address the vulnerability.
Another vulnerability rated high that Cisco fixed is with the authentication service of the Cisco Unified Communications Manager IM and Presence (Unified CM IM&P) Service, Cisco TelePresence Video Communication Server (VCS), and Cisco Expressway Series, which could allow an unauthenticated, remote attacker to cause a service outage for users attempting to authenticate, resulting in a denial of service (DoS) condition.
The vulnerability is due to insufficient controls for specific memory operations. An attacker could exploit this vulnerability by sending a malformed Extensible Messaging and Presence Protocol (XMPP) authentication request to an affected system. A successful exploit could allow the attacker to cause an unexpected restart of the authentication service, preventing users from successfully authenticating. Exploitation of this vulnerability does not impact users who were authenticated prior to an attack.
The following are additional medium rated vulnerabilities Cisco fixed:
• Webex Meetings Server Information Disclosure Vulnerability cisco-sa-20190605-webexmeetings-id
• TelePresence Video Communication Server and Cisco Expressway Series Server-Side Request Forgery Vulnerability cisco-sa-20190605-vcs
• Unified Computing System BIOS Signature Bypass Vulnerability cisco-sa-20190605-ucs-biossig-bypass
• IOS XR Software Secure Shell Authentication Vulnerability cisco-sa-20190605-iosxr-ssh
• Industrial Network Director Stored Cross-Site Scripting Vulnerability cisco-sa-20190605-ind-xss
• Industrial Network Director Cross-Site Request Forgery Vulnerability cisco-sa-20190605-ind-csrf
• Enterprise Chat and Email Cross-Site Scripting Vulnerability cisco-sa-20190605-ece-xss