Security

Cisco Patches High-Severity Vulnerabilities in Analog Telephone Adapters

.Cisco on Wednesday introduced patches for eight susceptibilities in the firmware of ATA 190 series analog telephone adapters, featuring 2 high-severity imperfections causing setup changes and cross-site demand bogus (CSRF) strikes.Affecting the online control user interface of the firmware and tracked as CVE-2024-20458, the very first bug exists since particular HTTP endpoints do not have verification, permitting remote control, unauthenticated opponents to surf to a particular link as well as viewpoint or even erase arrangements, or modify the firmware.The 2nd issue, tracked as CVE-2024-20421, permits remote, unauthenticated opponents to carry out CSRF strikes as well as do random activities on prone gadgets. An enemy may manipulate the safety and security issue through encouraging a user to click a crafted hyperlink.Cisco also covered a medium-severity weakness (CVE-2024-20459) that can enable remote, validated assaulters to carry out arbitrary commands with root benefits.The remaining five surveillance problems, all channel extent, may be exploited to perform cross-site scripting (XSS) strikes, carry out approximate demands as root, sight codes, customize tool arrangements or reboot the device, and also function commands with supervisor advantages.Depending on to Cisco, ATA 191 (on-premises or even multiplatform) as well as ATA 192 (multiplatform) units are impacted. While there are no workarounds on call, disabling the online control interface in the Cisco ATA 191 on-premises firmware reduces 6 of the imperfections.Patches for these bugs were consisted of in firmware model 12.0.2 for the ATA 191 analog telephone adapters, and also firmware version 11.2.5 for the ATA 191 and 192 multiplatform analog telephone adapters.On Wednesday, Cisco also revealed patches for two medium-severity surveillance problems in the UCS Central Program organization management service and the Unified Call Facility Control Website (Unified CCMP) that could possibly bring about vulnerable details acknowledgment and also XSS assaults, respectively.Advertisement. Scroll to continue reading.Cisco makes no mention of any one of these vulnerabilities being capitalized on in the wild. Additional details could be discovered on the provider's protection advisories web page.Related: Splunk Company Update Patches Remote Code Completion Vulnerabilities.Connected: ICS Patch Tuesday: Advisories Published through Siemens, Schneider, Phoenix Get In Touch With, CERT@VDE.Associated: Cisco to Buy System Cleverness Organization ThousandEyes.Connected: Cisco Patches Critical Susceptibilities in Top Infrastructure (PI) Software Program.