Cisco Issues Fixes to Multiple Vulnerabilities

Independent researchers discovered a privilege escalation vulnerability that could allow attackers who already have authenticated access to the command line interface to obtain access to the underlying operating system of certain products.

Impacted products include the CiscoWorks Wireless LAN Solution Engine (WLSE), Hosting Solution Engine, User Registration Tool, Ethernet Subscriber Solution Engine and CiscoWorks 2000 Service Management Solution.

Cisco has issued patches for the affected products except the latter two, which are discontinued and no longer supported.

The San Jose, Calif.-based vendor also issued a separate advisory for WLSE, which is also susceptible to a cross site scripting vulnerability that may allow an attacker to gain administrative privileges on the system.

The vendor’s WLSE or WLSE Express WLAN management appliances running any version of software prior to 2.13 are susceptible to both vulnerabilities. By exploiting the privilege escalation and cross site scripting vulnerabilities together, a hacker could obtain complete control of the appliance, the company said.

The vulnerabilities are fixed in version 2.13 of WLSE software, which is available now for download.

In another advisory, Cisco also detailed a Multi Protocol Label Switching (MPLS)-related vulnerability on its Cisco IOS XR modular operating platform, which runs on its CRS-1 Carrier Router System and Cisco 12000-series routers, both primarily used by service providers.

If successfully exploited, the vulnerability could result in a reload of line cards on the routers. Repeated exploitation could result in a sustained denial of service attack, the company said.

Fixes for the vulnerability, which only impacts CRS-1 and 12000-series products that are configured for MPLS, are available now.