CSW Discovers its 50th Zero Day!

August: Cisco Patches 43 Security Vulnerabilities

Posted on Sep 16, 2021 | By Pavithra Shankar

Cisco Systems had released security patches to address 43 unique vulnerabilities in August, ranging in importance from critical, high, and medium severity. We analyzed these weaknesses and spotlighted the most important vulnerabilities that ought to be fixed on priority.

An Analysis of Cisco August Patched Vulnerabilities

The 43 vulnerabilities that were patched in August include 

  • 6 CVEs classified as Remote Code Execution bugs

  • 4 CVEs have Privilege Escalation capabilities

  • 16 CVEs with Denial of Service

  • 4 CVEs are Command Injection Execution

  • 2 CVEs are linked to Cross-Site Scripting

Two CVEs are weaponized with known exploits and being exploited in the wild.

Patch Latency

In this edition, we analyzed the Patch Latency Metrics for the collated vulnerabilities.

  • 66% of patches were released on the same day when the vulnerability got published by the vendor.

  • 9% of patches were released within the range of 2 and 50 days when the vulnerability got published by the vendor.

  • 16% of patches were released within the range of 100 and 200 days when the vulnerability got published by the vendor.

  • CVE-2019-1727, rated as a high severity, received a patch after 833 days.

Zero Days

Cisco disclosed two zero-day bugs that received a security update this August. 

CVE-2021-1585 is a remote code execution (RCE) vulnerability in the Adaptive Security Device Manager (ADSM) Launcher that can be caused by improper signature verification for code exchanged between the ASDM and the Launcher. This flaw has a CVSS v3 score of 8.1 (high) which leads to Improper Control of Generation of Code ('Code Injection') under CWE-94.

Another Zero-day registered as CVE-2021-34730, a Denial of Service vulnerability  in Universal Plug-and-Play (UPnP) service of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an unauthenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly. This has a CVSS v3 score of 9.8 (critical) which leads to Improper Input Validation under CWE-20 (2021 CWE Top 25 Most Dangerous Software Weaknesses).

Old Vulnerabilities

5 old vulnerabilities have been patched by Cisco in August 2021, spanning the years from 2019 to 2020. 

CISA Alert

Among these August Cisco patched vulnerabilities, six CVEs are red flagged by CISA.

Table: Cisco August Patches 2021

Despite the fact that software is easier to update than hardware, vulnerabilities are just as frequent and deadly. Hence, beware of newly disclosed vulnerabilities and do your utmost to implement updates as quickly as possible.

 

Does your organization have a patch management program? Talk to CSW’s Experts to prioritize the threats that need immediate attention!

 

Test your defense to know how secure you are…