Cloud computing security specialists reported the finding of multiple vulnerabilities in some Cisco products, such as IP Phone and Data Center Network Manager. Successful exploitation of these flaws would allow the deployment of malicious scenarios such as cross-site scripting attacks, theft of sensitive information, among others.
Below are brief overviews of reported errors, in addition to their respective tracking keys and scores according to the Common Vulnerability Scoring System (CVSS).
- CVE-2020-3354: Insufficient disinfection of user-provided data in the Data Center Network Manager web management interface would allow hackers to deploy cross-site scripting (XSS) attacks. A remote authenticated attacker can inject and execute arbitrary HTML and script code into the user’s browser in the context of a vulnerable website. The fault received a score of 5.6/10.
- CVE-2020-3355: This vulnerability also exists due to insufficient disinfection of user input in the Data Center Network Manager web interface and would allow the deployment of XSS attacks. Its successful execution will allow the theft of information and even the modification of the target system. This flaw received a score of 5.6/10.
- CVE-2020-3356: Inadequate debugging of user-provided data through the Data Center Network Manager web management interface would allow arbitrary code to run in the context of a vulnerable website through XSS attacks. This flaw received a CVSS score of 6.3/10, according to cloud computing security specialists.
- CVE-2020-3360: Inadequate access controls on the Cisco IP Phone web-based management interface would allow remote hackers to access sensitive information on the target system. An attacker can send specially crafted requests, evade security restrictions, and gain unauthorized access to data such as call logs, usernames, and more. The flaw is found on Series 7800 and 8800 devices, and received a score of 4.6/10.
While these vulnerabilities can be exploited by unauthenticated remote hackers, the presence of a malware variant has not yet been detected to exploit any of these flaws. Cloud computing security experts point out that attempts to exploit in real-world scenarios have also not been detected.
Cisco began working on the corresponding updates as soon as the report was sent. Security patches are ready, so users of exposed deployments should only verify their correct installation.
For further reports on vulnerabilities, exploits, malware variants and computer security risks, it is recommended to enter the website of the International Institute of Cyber Security (IICS), as well as the official platforms of technology companies.