Cisco Patches High-Severity Vulnerabilities in Network Operating System

Share This Post

Cisco on Wednesday announced patches for eight vulnerabilities in the IOS XR network operating system, including fixes for six high-severity bugs.

The most severe of the flaws is CVE-2024-20398 (CVSS score of 8.8), an insufficient validation of user arguments that IOS XR passes to specific CLI commands.

“An attacker with a low-privileged account could exploit this vulnerability by using crafted commands at the prompt. A successful exploit could allow the attacker to elevate privileges to root,” Cisco explains.

Next in line is CVE-2024-20304 (CVSS score of 8.6), a bug impacting the Mtrace2 feature of IOS XR that could be exploited remotely, without authentication, to cause a denial-of-service (DoS) condition.

“This vulnerability exists because the Mtrace2 code does not properly handle packet memory. An attacker could exploit this vulnerability by sending crafted packets to an affected device,” the tech company explains.

Cisco also warned that two high-severity flaws affecting the Routed Passive Optical Network (PON) controller software that runs as a docker container on devices running IOS XR could be exploited for command injection, allowing authenticated attackers to execute commands as root or retrieve MongoDB credentials.

The two bugs, tracked as CVE-2024-20483 and CVE-2024-20489, impact NCS 540, NCS 5500, and NCS 5700 routers, and will be resolved with future updates, Cisco says.

On Wednesday, the tech company announced fixes for two other high-severity DoS flaws in its network OS, including one affecting the handling of specific Ethernet frames and another impacting the segment routing feature for the IS-IS routing protocol.

Advertisement. Scroll to continue reading.

Fixes were also announced for two medium-severity bugs in IOS XR that could allow attackers to read files from the underlying Linux operating system, or cause a DoS condition on XML TCP listen port 38751.

Cisco says it is not aware of any of these vulnerabilities being exploited in the wild. Additional information can be found in the company’s semiannual IOS XR software security advisory.

Related: Cisco Patches Critical Vulnerabilities in Smart Licensing Utility

Related: Cisco Systems Joins Microsoft, IBM in Vatican Pledge to Ensure Ethical Use and Development of AI

Related: Cisco Patches Code Execution Flaw in VPN Product 6 Months After Disclosure

Related: Cisco Adds Vulnerability Identification to Tetration Platform

This post was originally published on this site

More Articles
Article

Navigating SEC Regulations In Cybersecurity And Incident Response

Free video resource for cybersecurity professionals. As 2024 approaches, we all know how vital it is to keep up to date with regulatory changes that affect our work. We get it – it’s a lot to juggle, especially when you’re in the trenches working on an investigation, handling, and responding to incidents.

Report

Harassment or bullying behavior
Contains mature or sensitive content
Contains misleading or false information
Contains abusive or derogatory content
Contains spam, fake content or potential malware

Block Member?

Please confirm you want to block this member.

You will no longer be able to:

  • See blocked member's posts
  • Mention this member in posts
  • Invite this member to groups
  • Message this member
  • Add this member as a connection

Please note: This action will also remove this member from your connections and send a report to the site admin. Please allow a few minutes for this process to complete.

Report

You have already reported this .