(LiveHacking.Com) – Cisco has released six security advisories to address multiple vulnerabilities for a wide range of its products. These vulnerabilities may allow a hacker to execute arbitrary code, launch a denial-of-service attack, operate with escalated privileges and bypass security restrictions.
The first of the six advisories is about the Cisco Cius Software. According to Cisco it contains a denial of service vulnerability that could cause the device to stop responding. Devices running Cius Software Versions prior to 9.2(1) SR2 are vulnerable. A remote, unauthenticated attacker could exploit this vulnerability by sending malicious network traffic to affected devices. Cisco has released free software updates that address this vulnerability. Affected products are all Cius Wifi devices running Cius Software Version 9.2(1) SR1 and earlier.
The second vulnerability affects Cisco Unified Communications Manager devices which may allow a remote, unauthenticated attacker with the ability to send crafted Skinny Client Control Protocol (SCCP) messages to an affected device to cause a reload or execute attacker-controlled SQL code. The following products are affected Cisco Unified Communications Manager Software versions 6.x, 7.x and 8.x and Cisco Business Edition 3000, 5000, and 6000.
Cisco Unity Connection contains two vulnerabilities, a privilege escalation vulnerability and a denial of service vulnerability. Exploitation of these may allow an authenticated, remote attacker to elevate privileges and obtain full access to the affected system or cause system services to terminate unexpectedly. Cisco has released free software updates that address these vulnerabilities. Affected versions are Cisco Unity Connection 7.1 (and earlier), 8.0, 8.5 and 8.6.
The Cisco Wireless LAN Controller (WLC) product family is affected by several vulnerabilities including three different types of denial of service vulnerability (HTTP, IPv6 and WebAuth) as well as an unauthorized access vulnerability. Cisco has released free software updates that address these vulnerabilities.
Each of the following products is affected by at least one of the vulnerabilities:
- Cisco 2000 Series WLC
- Cisco 2100 Series WLC
- Cisco 2500 Series WLC
- Cisco 4100 Series WLC
- Cisco 4400 Series WLC
- Cisco 5500 Series WLC
- Cisco 500 Series Wireless Express Mobility Controllers
- Cisco Wireless Services Modules (WiSM)
- Cisco Wireless Services Modules version 2 (WiSM version 2)
- Cisco NME-AIR-WLC Modules for Integrated Services Routers (ISRs)
- Cisco NM-AIR-WLC Modules for Integrated Services Routers (ISRs)
- Cisco Catalyst 3750G Integrated WLCs
- Cisco Flex 7500 Series Cloud Controllers
Penultimately, Cisco TelePresence Video Communication Servers running software versions prior to X7.0.1 contain vulnerabilities that could allow an attacker to cause a denial of service (DoS) condition. Cisco has released free software updates that address these vulnerabilities.
Lastly the Cisco Small Business (SRP 500) Series Services Ready Platforms contain the following three vulnerabilities: a web interface command injection vulnerability, a unauthenticated configuration upload vulnerability and a directory traversal vulnerability. These vulnerabilities can be exploited using sessions to the Services Ready Platform Configuration Utility web interface. Cisco has released free software updates that address these vulnerabilities.
The following Cisco SRP 520 Series models are affected if running firmware prior to version 1.1.26:
- Cisco SRP 521W
- Cisco SRP 526W
- Cisco SRP 527W
The following Cisco SRP 520W-U Series models are affected if running firmware prior to version 1.2.4:
- Cisco SRP 521W-U
- Cisco SRP 526W-U
- Cisco SRP 527W-U
The following Cisco SRP 540 Series models are affected if running firmware prior to version 1.2.4:
- Cisco SRP 541W
- Cisco SRP 546W
- Cisco SRP 547W