Cisco’s network management software DNA Spaces Connector, Integrated Management Controller (IMC) and IoT Field Network Director (FND) can be attacked via security holes classified as ” critical “. In addition, attackers could stealthily sneak into Webex meetings. Security updates are available.

Critical vulnerabilities Most dangerous is the vulnerability (CVE – 2020 – 3470) in IMC. Problems can arise here when processing HTTP requests, which results in memory errors. If this is the case, attackers could execute Schacode with root rights in the underlying operating system without authentication.

By successfully exploiting the vulnerability (CVE – 2020 – 3531) In FND, remote and unregistered attackers could access and change the back-end database due to insufficient authentication during REST API calls.

Since the management console of DNA Spaces Connector does not sufficiently check user input (CVE – 2020 – 3586 ), attackers could execute their own commands on vulnerable devices.

Webex spy Due a vulnerability (CVE – 2020 – 3419) attackers could be present at Webex meetings without appearing in the participant list. Hidden as a “ghost” from the other participants, attackers could eavesdrop on audio and video content, among other things. According to a warning from Cisco, this is only possible if attackers have access to meetings in the form of participation links and a password. Accordingly, the vulnerability is “only” classified with ” medium “.

Further vulnerabilities concern Expressway Software, Secure Web appliance and telepresence CE software. Here, attackers could, for example, gain unauthorized access to information or acquire higher user rights.

List sorted in descending order by threat level:

Integrated Management Controller Multiple Remote Code Execution IoT Field Network Director Unauthenticated REST API DNA Spaces Connector Command Injection IoT Field Network Director SOAP API Authorization Bypass IoT Field Network Director Missing API Authentication Webex Meetings and Cisco Webex Meetings Server Ghost Join Webex Meetings and Cisco Webex Meetings Server Unauthorized Audio Information Exposure Expressway Software Unauthorized Access Information Disclosure IoT Field Network REST API Insufficient Input Validation Webex Meetings API Cross-Site Scripting IoT Field Network Director Cross-Site Scripting Telepresence CE Software and RoomOS Software Unauthorized Token Generation Secure Web Appliance Privilege Escalation Webex Meetings and Cisco Webex Meetings Server Information Disclosure IoT Field Network Director Information Disclosure IoT Field Network Director Improper Access Control IoT Field Network Director File Overwrite IoT Field Network Director Improper Domain Access Control IoT Field Network Director Unprotected Storage of Credentials (of)