Cisco Systems had released security patches to address 43 unique vulnerabilities in August, ranging in importance from critical, high, and medium severity. We analyzed these weaknesses and spotlighted the most important vulnerabilities that ought to be fixed on priority.
An Analysis of Cisco August Patched Vulnerabilities
The 43 vulnerabilities that were patched in August include
-
6 CVEs classified as Remote Code Execution bugs
-
4 CVEs have Privilege Escalation capabilities
-
16 CVEs with Denial of Service
-
4 CVEs are Command Injection Execution
-
2 CVEs are linked to Cross-Site Scripting
Two CVEs are weaponized with known exploits and being exploited in the wild.
Patch Latency
In this edition, we analyzed the Patch Latency Metrics for the collated vulnerabilities.
-
66% of patches were released on the same day when the vulnerability got published by the vendor.
-
9% of patches were released within the range of 2 and 50 days when the vulnerability got published by the vendor.
-
16% of patches were released within the range of 100 and 200 days when the vulnerability got published by the vendor.
-
CVE-2019-1727, rated as a high severity, received a patch after 833 days.
Zero Days
Cisco disclosed two zero-day bugs that received a security update this August.
CVE-2021-1585 is a remote code execution (RCE) vulnerability in the Adaptive Security Device Manager (ADSM) Launcher that can be caused by improper signature verification for code exchanged between the ASDM and the Launcher. This flaw has a CVSS v3 score of 8.1 (high) which leads to Improper Control of Generation of Code (‘Code Injection’) under CWE-94.
Another Zero-day registered as CVE-2021-34730, a Denial of Service vulnerability in Universal Plug-and-Play (UPnP) service of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an unauthenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly. This has a CVSS v3 score of 9.8 (critical) which leads to Improper Input Validation under CWE-20 (2021 CWE Top 25 Most Dangerous Software Weaknesses).
Old Vulnerabilities
5 old vulnerabilities have been patched by Cisco in August 2021, spanning the years from 2019 to 2020.
-
2 CVEs have known exploits.
-
4 CVEs are featured in CISA.
-
3 CVEs are rated high and 2 are of low severity.
-
2 CVEs are categorized under 2021 CWE Top 25 Most Dangerous Software Weaknesses
CISA Alert
Among these August Cisco patched vulnerabilities, six CVEs are red flagged by CISA.
-
80% of the alerted CVEs are older ones.
-
2 CVEs have known exploits.
-
1 CVE is rated critical and two are of high severity.
-
2 CVEs are categorized under 2021 CWE Top 25 Most Dangerous Software Weaknesses
Table: Cisco August Patches 2021
Despite the fact that software is easier to update than hardware, vulnerabilities are just as frequent and deadly. Hence, beware of newly disclosed vulnerabilities and do your utmost to implement updates as quickly as possible.