Cisco warns of 'critical' risks from web bugs and insecure SSH keys

Cisco has released a fresh crop of security advisories, including warnings for critical flaws in the UCS, Prime Infrastructure and Evolved Programmable Network Manager (EPNM) that would allow an attacker to gain root access over its products.

The alerts were part of a collection of six security advisories released Wednesday to cover vulnerabilities in various hardware and software offerings.

• CVE-2016-1313 is a flaw in the UCS Invicta software that stores SSH keys in an insecure location and could potentially allow an attacker to gain root access to the targeted system.
• CVE-2016-1291 was found in the web interface used by Cisco Prime Infrastructure and EPNM. An attacker can send a malformed HTTP POST request to gain root access or execute arbitrary code.
• CVE-2016-1290 was also found in the web interface used by Prime Infrastructure and EPNM. The flaw allows an attacker to send a specially-crafted URL request to bypass access controls and gain an elevation of privilege.
• CVE-2016-1346 allows for a denial of service in Cisco TelePresence Server by way of a malformed IPv6 that causes a kernel panic in the software and forces a reboot.
• CVE-2015-6312 is a denial of service vulnerability that forces the TelePresence Server software to crash and restart when presented with specially-crafted Session Traversal Utilities for NAT data packet.
• CVE-2015-6313 is an HTML parsing engine error for TelePresence Server that would allow denial of service should an attacker flood the targeted server with enough URL requests to fill memory and trigger a restart.

Cisco is advising administrators to test and install the updates for any affected products as soon as possible. ®