Cisco Systems late last week disclosed 29 new vulnerabilities, including a critical alert for customers using its ASR 9000 Series Aggregation Services Routers. A flaw on the router, if not fixed, can be exploited remotely without user credentials, the networking giant said on its security advisories and alerts page.
Cisco instructed ASR 9000 Series Aggregation Services router users to install an update to address a critical flaw on Wednesday. The ASR vulnerability is the most severe of the 29 new flaws that Cisco has disclosed with a severity rating of 9.8 out of a possible 10.
The vulnerability, according to Cisco, is due to incorrect isolation of the secondary management interface from internal sysadmin applications. If exploited by a hacker, a denial of service attack or remote unauthenticated access to the device could result, Cisco said.
Cisco released software updates that address this vulnerability just as CRN Australia readers headed off on their Easter break. The company said that flaw only affects Cisco software running on ASR9000 Series Aggregation Services Routers and no other platforms have been impacted.
The CERT Coordination Center at Carnegie Mellon University last week found that VPN apps built by Cisco, Palo Alto Networks, F5 Networks and Pulse Secure insecurely store authentication tokens and session cookies in memory or log files. Once the report was published, the U.S. Department of Homeland Security's cybersecurity division issued an alert. Cisco denied being impacted by the flaw after it said it had investigated this issue and determined that its AnyConnect platform is not vulnerable to the behavior described in the vulnerability note from CERT.