Cisco security warning: Patch Webex Teams for Windows and surveillance camera now

Cisco has released security updates for high-severity security flaws affecting Webex Teams for Windows, its Identity Services Engine, and Video Surveillance 8000 Series IP Cameras. 

In this month’s first round of security updates from Cisco, the most serious vulnerability addressed is a remote code-execution (RCE) and denial-of-service (DoS) bug affecting its Video Surveillance 8000 Series IP Cameras.

The flaw, tracked as CVE-2020-3544, has a severity rating of 8.8 out of 10, on par with similar RCE and DoS flaws it disclosed in August affecting the Video Surveillance 8000 Series IP Cameras. 

SEE: Security Awareness and Training policy (TechRepublic Premium)

Both sets of vulnerabilities were reported by Qian Chen of Qihoo 360 Nirvan Team and both concern flaws in the Cisco Discovery Protocol, a Layer 2 or data link layer protocol in the Open Systems Interconnection (OSI) networking model. 

Similarly, both are due to “missing checks when an IP camera processes a Cisco Discovery Protocol packet”.

“An attacker could exploit this vulnerability by sending a malicious Cisco Discovery Protocol packet to an affected device. A successful exploit could allow the attacker to execute code on the affected IP camera or cause it to reload unexpectedly, resulting in a DoS condition,” Cisco notes in the new advisory

Any Cisco customers with the product that updated to firmware releases 1.0.9-4 and later after the August advisory should be safe, but customers that didn’t update to that release or later will still be vulnerable. There are no workarounds. 

The second most severe flaw affects the web management interface of Cisco Identity Services Engine (ISE) and occurs because the interface doesn’t properly enforce role-based access control. 

The bug, tagged as CVE-2020-3467, has a severity rating of 7.7 out of 10. A remote attacker needs to be authenticated with read-only admin credentials to exploit the flaw.

However, if that condition is met, the attacker could modify a vulnerable device’s configuration after sending a crafted HTTP request to it and then bring unauthorized devices onto the network or block permitted devices from accessing the network.   

The issue affects ISE releases 2.3, 2.4. 2.5, 2.6, and 2,7. Versions 2.2 and earlier and version 3.0 are not vulnerable. Cisco has patch recommendations for each release in its advisory

The bug was reported to Cisco by Sebastian Halter of Deutsche Telekom.   

The third high-severity flaw affects Cisco’s Webex Teams client for Windows, but it can only be exploited by a local attacker with valid credentials on the Windows system. Nonetheless, an attacker could load malicious DLL files or Windows software libraries that execute when Webex Teams launches. 

“A successful exploit could allow the attacker to execute arbitrary code on the targeted system with the privileges of another user’s account,” Cisco explains. 

SEE: Cisco announces plans to acquire Kubernetes security player Portshift

Cisco Webex Teams for Windows releases 3.0.16269.0 and later are not vulnerable to the flaw. The flaw has a severity rating of 7.8 out of 10 and was reported by Hou JingYi of Qihoo 360 CERT.   

Cisco also disclosed 11 medium-severity bugs for products that should be patched or updated. These issues affect Cisco’s StarOS, SD-WAN vManage, Nexus Data Broker software, ISE, Industrial Network Director, Firepower Management Center, Expressway Series and Telepresence Video Communications Server, Email Security Appliance, Vision Dynamic Signage Director, and its Video Surveillance 8000 Series IP Cameras.

More on Cisco, networking and security

  • Update now: Cisco warns over 25 high-impact flaws in its IOS and IOS XE software  
  • Patch now: Cisco warns Jabber IM client for Windows has a critical flaw  
  • Cisco bug warning: Critical static password flaw in network appliances needs patching  
  • Cisco alert: Four high-severity flaws in routers, switches and AnyConnect VPN for Windows  
  • Patch now: Cisco warns of nasty bug in its data center software  
  • Cisco’s warning: Critical flaw in IOS routers allows ‘complete system compromise’  
  • Cisco warns: These Nexus switches have been hit by a serious security flaw  
  • Cisco: Critical Java flaw strikes ‘call center in a box’, patch urgently  
  • Cisco: These 12 high-severity bugs in ASA and Firepower security software need patching  
  • Cisco critical bug: Static password in Smart Software Manager – patch now, says Cisco  
  • Cisco: Patch this critical firewall bug in Firepower Management Center  
  • Critical Cisco DCNM flaws: Patch right now as PoC exploits are released  
  • Cisco critical bugs: Nexus data center switch software needs patching now  
  • Cisco: All these routers have the same embedded crypto keys, so update firmware  
  • Cisco: These Wi-Fi access points are easily owned by remote hackers, so patch now  
  • Cisco warning: These routers running IOS have 9.9/10-severity security flaw
  • Patch now: Cisco IOS XE routers exposed to rare 10/10-severity security flaw  
  • Seriously? Cisco put Huawei X.509 certificates and keys into its own switches
  • How to improve cybersecurity for your business: 6 tips TechRepublic
  • New cybersecurity tool lets companies Google their systems for hackers CNET