Cisco Systems has released fixes for a few vulnerabilities, including three Ripple20 flaws.
One fix is for the path-traversal flaw (CVE-2020-3452) in the Switchzilla Adaptive Security Appliance and Firepower Threat Defense software. The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device.
“We have become aware of the availability of public exploit code and active exploitation of the vulnerability that is described in this advisory. Cisco encourages customers with affected products to upgrade to a fixed release as soon as possible”, — Cisco said.
The second fix addresses three vulnerabilities (CVE-2020-11896 and CVE-2020-11897 and CVE-2020-11898), collectively known as Ripple20. Exploitation of these problems allows an attacker to take control of a vulnerable device. Issues affect the Cisco ASR 5000 and 5500 routers, as well as the Virtual Packet Core solution and the StarOS operating system.
Administrators are recommended to apply patches as soon as possible.
Ripple20 includes 19 vulnerabilities affecting billions of Internet-connected devices from 500 manufacturers around the world. The problems were discovered in the Treck TCP / IP library, and allow an attacker to remotely take full control of the device without any user intervention.