{"id":8584,"date":"2021-09-16T04:30:00","date_gmt":"2021-09-16T11:30:00","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?post_type=patch_watch&p=8584"},"modified":"2023-03-07T15:30:04","modified_gmt":"2023-03-07T22:30:04","slug":"august-cisco-patches-43-security-vulnerabilities","status":"publish","type":"patch_watch","link":"https:\/\/10.42.32.162\/patch_watch\/august-cisco-patches-43-security-vulnerabilities\/","title":{"rendered":"August: Cisco Patches 43 Security Vulnerabilities"},"content":{"rendered":"
Cisco Systems had released security patches to address 43 unique vulnerabilities in August, ranging in importance from critical, high, and medium severity. We analyzed these weaknesses and spotlighted the most important vulnerabilities that ought to be fixed on priority.<\/p>\n
<\/p>\n
The 43 vulnerabilities that were patched in August include<\/p>\n
6 CVEs classified as Remote Code Execution bugs<\/p>\n<\/li>\n
4 CVEs have Privilege Escalation capabilities<\/p>\n<\/li>\n
16 CVEs with Denial of Service<\/p>\n<\/li>\n
4 CVEs are Command Injection Execution<\/p>\n<\/li>\n
2 CVEs are linked to Cross-Site Scripting<\/p>\n<\/li>\n<\/ul>\n
Two CVEs are weaponized with known exploits and being exploited in the wild.<\/p>\n
<\/p>\n
In this edition, we analyzed the Patch Latency Metrics for the collated vulnerabilities.<\/p>\n
66% of patches were released on the same day when the vulnerability got published by the vendor.<\/p>\n<\/li>\n
9% of patches were released within the range of 2 and 50 days when the vulnerability got published by the vendor.<\/p>\n<\/li>\n
16% of patches were released within the range of 100 and 200 days when the vulnerability got published by the vendor.<\/p>\n<\/li>\n
CVE-2019-1727, rated as a high severity, received a patch after 833 days.<\/p>\n<\/li>\n<\/ul>\n
<\/p>\n
Cisco disclosed two zero-day bugs that received a security update this August.<\/p>\n
CVE-2021-1585 is a remote code execution (RCE) vulnerability in the Adaptive Security Device Manager (ADSM) Launcher that can be caused by improper signature verification for code exchanged between the ASDM and the Launcher. This flaw has a CVSS v3 score of 8.1 (high) which leads to Improper Control of Generation of Code (‘Code Injection’) under CWE-94.<\/p>\n
Another Zero-day registered as CVE-2021-34730, a Denial of Service vulnerability\u00a0 in Universal Plug-and-Play (UPnP) service of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an unauthenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly. This has a CVSS v3 score of 9.8 (critical) which leads to Improper Input Validation under CWE-20 (2021 CWE Top 25 Most Dangerous Software Weaknesses).<\/p>\n
<\/p>\n
5 old vulnerabilities have been patched by Cisco in August 2021, spanning the years from 2019 to 2020.<\/p>\n
2 CVEs have known exploits.<\/p>\n<\/li>\n
4 CVEs are featured in CISA.<\/p>\n<\/li>\n
3 CVEs are rated high and 2 are of low severity.<\/p>\n<\/li>\n
2 CVEs are categorized under 2021 CWE Top 25 Most Dangerous Software Weaknesses<\/a><\/p>\n<\/li>\n<\/ul>\n <\/p>\n Among these August Cisco patched vulnerabilities, six CVEs are red flagged by CISA.<\/p>\n 80% of the alerted CVEs are older ones.<\/p>\n<\/li>\n 2 CVEs have known exploits.<\/p>\n<\/li>\n 1 CVE is rated critical and two are of high severity.<\/p>\n<\/li>\n 2 CVEs are categorized under 2021 CWE Top 25 Most Dangerous Software Weaknesses<\/a><\/p>\n<\/li>\n<\/ul>\nCISA Alert<\/h2>\n
\n