Cisco this week released a massive set of security advisories detailing 10 separate vulnerabilities in some of its major software and unified communications products. It's one of the broadest sets of security advisories Cisco has made all year.
The specific vulnerabilities, detailed on the Security Advisory section of Cisco's corporate web site, includes a denial of service (DOS) vulnerability in Cisco's IOS IP Service Level Agreement feature. That vulnerability is triggered when, according to Cisco, "malformed UDP packets are sent to a vulnerable device." Cisco released software updates to address the vulnerability.
Another vulnerability is detailed for Cisco's 10000 Series Router, in which an attacker can cause a device reload by sending a series of ICMP packets. Cisco released software updates, and in its security bulletin, also said workarounds are available to protect the routers.
Next up is a vulnerability in the Smart Install feature of Cisco Catalyst Switches running Cisco IOS Software. According to Cisco, which again released free software to combat the problem, an unauthenticated, remote attacker could be able to perform remote code execution on affected devices.
Another vulnerability is in Cisco's Unified Communications Manager, which according to Cisco contains a "memory leak vulnerability that could be triggered through the processing of malformed Session Initiation Protocol (SIP) messages." Free software is coming from Cisco for supported UCM versions, and there is an existing workaround, as well.
More vulnerabilities include the Data-Link Switching feature in Cisco's IOS software, multiple DoS vulnerabilities in the network address translation (NAT) feature of IOS specific to NetMeeting Directory, SIP and H.323, and the IPv6 protocol stack implementation in IOS. Free software updates from Cisco address all, the company stated.
Additional DoS vulnerabilities exist in the SIP implementation in IOS and also Cisco's IOS XE Software, Cisco said. Free software releases cover the vulnerabilities, and while there aren't workaround available for devices that must run SIP, Cisco said mitigations can "limit exposure to the vulnerabilities."
The last vulnerability mentioned by Cisco in this week's update concerns the Jabber Extensible Communications Platform and Cisco Unified Presence. A DoS vulnerability exists in both through which an unauthenticated, remote attacker could send malicious XML to an affected server, Cisco said. There are no workarounds available, Cisco said.