Cisco published ten security advisories as part of its bi-annual patch day.
The advisories resolve a number of security vulnerabilities. The most serious vulnerability (CVSS 10) deals with Catalyst switches running the company’s iOS network operating system software. A bug in the Smart Install remote maintenance feature allowed remote attackers to execute arbitrary code on affected switches.
Cisco has released free software updates that address this vulnerability. There are no workarounds available to mitigate this vulnerability other than disabling the Smart Install feature.
The other advisories fix denial-of-service (DoS) vulnerabilities in iOS, Unified Communications Manager and 1000 series routers.
Cisco released updates which fix these vulnerabilities; workarounds exist for some of the problems. As promised, Cisco has also fixed the backdoor vulnerability in its Identity Services Engine (ISE) identity management software.
With the ISE, the underlying database used, its identity and access control policy platform, contains three sets of default credentials a hacker could exploit via a remote attacker without any end-user interaction.
Using these credentials, an attacker could modify the configuration and settings, or even gain complete administrative control of a device. All hardware appliance and software-only versions of Cisco ISE prior to 1.0.4.MR2 have the issue.