Cisco patches two major security flaws

Cisco released a couple of patches for its high-severity flaws (CVE-2019-1721 and CVE-2019-1694), which when unattended can allow hackers to launch Denial of Service (DoS) attacks. These flaws impact Cisco’s TelePresence Video Communication Server and ASA 5500-X Series Firewalls.

Among the two flaws, CVE-2019-1721 identified in the phone-book feature of Cisco Expressway Series and Cisco TelePresence Video Communication Server is considered to be of high impact as it could allow an unauthenticated remote attacker to increase the performance of CPU to 100 percent, causing a DoS condition on an affected system.

The flaw arose due to the improper handling of XML input by affected devices.“An attacker could exploit this vulnerability by sending a Session Initiation Protocol (SIP) message with a crafted XML payload to an affected device. A successful exploit could allow the attacker to exhaust CPU resources, resulting in a DoS condition. Manual intervention may be required to recover the device,” Cisco stated in its security bulletin.

The second flaw which was patched was CVE-2019-1694 arose due to improper handling of TCP traffic. It was spotted in the TCP processing engine of Cisco Adaptive Security Appliance (ASA) software and Cisco Firepower Threat Defense (FTD) software.“An attacker who is using a TCP protocol that is configured for inspection could exploit this vulnerability by sending a specific sequence of packets at a high rate through an affected device,” Cisco stated in its bulletin.