Cisco has disclosed over a dozen high-severity vulnerabilities affecting the widely deployed Cisco IOS and IOS XE network automation software, including a nasty one affecting its industrial routers and grid routers.
The company is also warning customers to disable an L2 traceroute feature in IOS for which there is public exploit code.
Cisco is urging admins to review which versions of Cisco IOS and IOS XE their devices are running to ensure these have been updated to versions that address 13 separate flaws.
The flaws have been disclosed as part of Cisco’s twice-yearly software security advisory bundle for Cisco IOS and IOS XE, which are released on the fourth Wednesday of March and September.
This update includes 12 advisories detailing 13 high-severity vulnerabilities that could give an attacker unauthorized access to an affected device, allow them to run a command-injection attack, or exhaust a device’s resources and cause a denial of service.
Although none is rated as critical, a bug tracked as CVE-2019-12648 in the IOx application environment for IOS has a CVSS 3.0 score of 9.9 out of a possible 10.
Cisco explains that even though this CVSS score usually corresponds to a critical rating, this bug is contained within a guest operating system running on a virtual machine of an affected IOS device. The bug doesn’t give an attacker the ability to gain administrative access to IOS itself.
By Liam Tung
September 26, 201