- 221/2024
- Critical
Cisco has released security updates to fix several vulnerabilities across multiple Cisco products.
The addressed vulnerabilities could allow the remote attacker to perform denial of service attacks, conduct cross-site scripting attacks, bypass security restrictions, or execute arbitrary commands at the root privilege level and gain access to the affected system by sending specially crafted HTTP packets.
Sample of the addressed vulnerabilities:
1. Cisco Small Business SPA300 Series and SPA500 Series IP Phones Buffer Overflow Vulnerability (CVE-2024-20450):
- CVSS: 9.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Gain Access
2. Cisco Small Business SPA300 Series and SPA500 Series IP Phones Denial of Service Vulnerability (CVE-2024-20451):
- CVSS: 7.5
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Denial of Service
Sample of the affected products:
- Cisco Small Business SPA300 Series and Cisco Small Business SPA500 Series IP Phones.
- Cisco IOS XR Software Network Convergence System (NCS) 540 Series Routers.
- Cisco IOS XR Software 8000 Series Routers.
- Cisco ISE.
Vulnerabilities
- CVE-2024-6387
- CVE-2024-3596
- CVE-2023-20236
- CVE-2024-20443
- CVE-2024-20479
- CVE-2024-20450
- CVE-2024-20451
- CVE-2024-20452
- CVE-2024-20453
- CVE-2024-20454
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.