In an advisory, Cisco Systems notified users of 12 security patches to fix vulnerabilities in its Internet Operating System (IOS) Software and Unified Communications Manager.
All but one of the patches correct vulnerabilities in the Internet IOS software. The patches come with accompanying advisories describing the program bugs.
There have been no known instances of malicious use of the vulnerabilities described in the advisories, Jean Reese, senior manager of Cisco's product security incident response team (PSIRT), told SCMagazineUS.com Friday.
The vulnerabilities were discovered during internal testing and while handling customer service requests.
“This is the second time we have done a scheduled bundle and this is in direct response to feedback we have gotten from customers,” Reese said.
The next bundle of security patches is scheduled to be published in March 2009.
“We have a lot of different customers that use IOS across a myriad of products. We encourage customers to read the advisories,” Reese said.
Cisco rated the vulnerabilities using the CVSS scoring system, which relates the score to the core confidentiality, integrity and availability principles.
Cisco's highest rated vulnerability, “uBR10012 Series Devices SNMP Vulnerability” was rated a 10 base score. The lowest rated vulnerability, “Cisco IOS MPLS VPN May Leak Information,” was rated a 5.1 base score.
“Cisco uBR10012 series devices automatically enable Simple Network Management Protocol (SNMP) read/write access to the device if configured for linecard redundancy. This can be exploited by an attacker to gain complete control of the device,” Cisco's advisory stated.
Symantec Corp.'s security level ThreatCon Rating went from an “elevated” level 2, where it was on Thursday, to a “low” level 1, Friday.
“Patches for the Cisco uBR10012 Router Default SNMP Community Vulnerability have been available for over 24 hours. DeepSight Threat Management System (TMS) Sensors have not registered any significant activity that can be verified as malicious,” Symantec said on its website.
Secunia, in a separate advisory, rated the vulnerabilities a 3 out of 5, which it calls "moderately critical."
The SANS Internet Storm Center rated four of the vulnerabilities at their highest threat level, "patch now," six of the vulnerabilities “critical,” and two “important.”
Cisco patches 12 vulnerabilities
By Staff Writers on Sep 29, 2008 12:32PM