The network equipment maker company is asking its customers to update the switches, routers, and AnyConnect VPN Client for Windows. Cisco had disclosed that the bug in IPv6 packet processing engine could allow a remote attacker without credentials to trigger a denial of services attack on affected devices.
The list of affected switches includes 250 series smart switches, 350 series managed switches, 350x series stackable managed services, 550x series stackable managed switches, small business 200 series switches, small business 300 series managed switches and small business 500 series stackable managed switches.
The bug affects all named switches to begin rebooted and forced to turn offline. Out of all the affected switches, Cisco has been able to push software updates to only four of them. Rest of them are already beyond end-of-software-maintenance milestone. The users of those switches have no choice but to upgrade the device itself.
The vulnerability is codenamed as CVE-2020-3363, which comes with a severity score of 8.6 out of 10. The company also notes that the issue affects IPV6 traffic only.
The IPv6 implementation has another serious flaw related to Cisco StarOS. The affected devices include Cisco’s ASR 5000 series aggregation services router. These routers can be attacked if they are running on a vulnerable release of Cisco StarOS.
AnyConnect VPN client for Windows is affected by a flaw that can let a local attacker perform a dynamic link library (DLL) hijacking attack. Any attacker can exploit this by sending a crafted IPC message. The vulnerability is codenamed as CVE-2020-3433, with a severity score of 7.8.
Users running the Cisco AnyConnect Secure Mobility Client affects Windows v4.9.00086 and later. The bug does not affect AnyConnect client for macOS, Linux, Android or iOS.