- 09/2023
- Critical
Cisco has released security updates to address several vulnerabilities in multiple Cisco products.
The released security updates fix several vulnerabilities affecting multiple Cisco products such as RV016, RV042, RV042G, and RV082 Routers, IP Phone 7800 and 8800 Series, Industrial Network Director (IND), and Cisco Webex Room Phone.
The addressed vulnerabilities could allow the attacker to send a specially crafted HTTP request to the web-based management interface caused by improper validation of user input within incoming HTTP packets to steal the victim’s cookie-based authentication credentials, bypass authentication, obtain root access, sensitive information disclosure, or cause a denial of service against the affected system.
Samples of the addressed vulnerabilities:
1. Cisco Small Business RV016, RV042, RV042G, and RV082 Routers Security Bypass(CVE-2023-20025):
• CVSS: 9
• Attack Vector: Network
• Attack Complexity: High
• Privileges Required: None
• User Interaction: None
• Consequences: Bypass Security
2. Cisco Industrial Network Director Information Disclosure(CVE-2023- 20038):
• CVSS: 8.8
• Attack Vector: Local
• Attack Complexity: Low
• Privileges Required: Low
• User Interaction: None
• Consequences: Cross-Site Scripting
It Should be highlighted that Cisco has announced a critical authentication bypass vulnerability with public exploit code affecting multiple end-of-life (EoL) VPN routers and advised to refer to the end-of-life notices for these products.
End-of-Sale and End-of-Life Cisco Announcement for the Cisco RV160 and RV260 VPN Router (all models)
Vulnerabilities
- CVE-2023-20025
- CVE-2023-20026
- CVE-2023-20018
- CVE-2023-20037
- CVE-2023-20038
- CVE-2023-20020
- CVE-2023-20007
- CVE-2023-20045
- CVE-2023-20002
- CVE-2023-20008
- CVE-2023-20040
- CVE-2023-20047
- CVE-2023-20043
- CVE-2023-20044
- CVE-2023-20058
- CVE-2023-20019
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.