Cisco Security Advisories

Cisco Access Point Software Uncontrolled Resource Consumption Vulnerability

Thu, 12/12/2024 - 3:27pm
A vulnerability in the packet processing functionality of Cisco access point (AP) software could allow an unauthenticated, adjacent attacker to exhaust resources on an affected device.&nbsp;<br><br> This vulnerability is due to insufficient management of resources when handling certain types of traffic. An attacker could exploit this vulnerability by sending a series of specific wireless packets to an affected device. A successful exploit could allow the attacker to consume resources on an affected device. A sustained attack could lead to the disruption of the Control and Provisioning of Wireless Access Points (CAPWAP) tunnel and intermittent loss of wireless client traffic.<br><br> Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.<br><br> This advisory is available at the following link:<br><a href="https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ap-dos-capwap-DDMCZS4m">https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ap-dos-capwap-DDMCZS4m</a><br><br> <br/>Security Impact Rating: Medium <br/>CVE: CVE-2023-20268
Categories: Cisco

Cisco NX-OS Software Image Verification Bypass Vulnerability

Wed, 12/04/2024 - 7:00pm
<span class="mce-annotation tox-comment" data-mce-annotation-uid="CONV-0015061" data-mce-annotation="tinycomments">A </span>vulnerability in the bootloader of Cisco NX-OS Software could allow an unauthenticated <span class="mce-annotation tox-comment" data-mce-annotation-uid="CONV-0015076" data-mce-annotation="tinycomments">attacker</span> with physical access to an affected device, <span class="mce-annotation tox-comment" data-mce-annotation-uid="CONV-0015026" data-mce-annotation="tinycomments">or an authenticated, local attacker with administrative credentials, </span>to bypass <span class="mce-annotation tox-comment" data-mce-annotation-uid="CONV-0015022" data-mce-annotation="tinycomments">NX-OS</span> image <span class="mce-annotation tox-comment" data-mce-annotation-uid="CONV-0015077" data-mce-annotation="tinycomments">signature verification</span><span class="mce-annotation tox-comment" data-mce-annotation-uid="CONV-0015024" data-mce-annotation="tinycomments">.</span><br><br> This vulnerability is due to <span class="mce-annotation tox-comment" data-mce-annotation-uid="CONV-0015025" data-mce-annotation="tinycomments">insecure bootloader settings</span>. <span class="mce-annotation tox-comment" data-mce-annotation-uid="CONV-0015026" data-mce-annotation="tinycomments">An attacker could exploit this vulnerability by executing a series of bootloader commands.</span> A successful exploit could allow the attacker to bypass <span class="mce-annotation tox-comment" data-mce-annotation-uid="CONV-0015023" data-mce-annotation="tinycomments">NX-OS</span> <span class="mce-annotation tox-comment tox-comment--active" data-mce-annotation-uid="CONV-0015028" data-mce-annotation="tinycomments">image signature verification</span> and load<span class="mce-annotation tox-comment" data-mce-annotation-uid="CONV-0015036" data-mce-annotation="tinycomments"> unverified software</span>.<br><br> Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.<br><br> This advisory is available at the following link:<br><a href="https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-image-sig-bypas-pQDRQvjL" target="_blank" rel="noopener">https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-image-sig-bypas-pQDRQvjL</a><br><br> <br/>Security Impact Rating: High <br/>CVE: CVE-2024-20397
Categories: Cisco

Cisco Adaptive Security Appliance WebVPN Login Page Cross-Site Scripting Vulnerability

Mon, 12/02/2024 - 11:05pm
A vulnerability in the WebVPN login page of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of WebVPN on the Cisco ASA.<br><br>The vulnerability is due to insufficient input validation of a parameter. An attacker could exploit this vulnerability by convincing a user to access a malicious link.<br><br> <br/>Security Impact Rating: Medium <br/>CVE: CVE-2014-2120
Categories: Cisco