https://www.sikich.com

Cisco Security Advisory

Eric Foss

Jun 4 2020

2 min read

Your workstation and servers aren’t the only operating systems (OSes) that require patching. Firewalls, routers, and switches run OSes of their own and also require updates.

On June 3^rd, Cisco released their semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication. In this publication, Cisco identified 20 vulnerabilities with a Security Impact Rating (SIR) of “high” and three with an SIR of “critical.” The advisory lists Cisco security risks that have CVSS scores ranging from 6.7 to 9.8 and includes denial-of-service (DoS), command injection, privilege escalation, and remote code execution (RCE) attacks.

Patching systems helps prevent attackers from exploiting any vulnerabilities in your environment, a risk that could have a significant impact on your organization. In the case of this security advisory, Cisco provides no workarounds other than patching your system to address associated vulnerabilities. While Cisco states that many of these vulnerabilities have not yet been exploited, it will not be long before attackers specifically check for systems that have not had the relevant patches applied.

As a singular occurrence, tackling these vulnerabilities with a patch will address the security flaw. However, maintaining an inventory of hardware and installed software and developing a routine process to track relevant vendor-provided guidance will work to mitigate future threats that exploit unpatched systems. By actively monitoring for vulnerability alerts that affect the inventoried systems in your environment, your organization can maintain an ongoing process to apply security-related patches in a timely manner.

Have any questions regarding these latest Cisco security risks and how to patch the firmware? Please contact our security experts at any time.

This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.

About the Author

Eric Foss

Eric is a Consultant at Sikich whose experience includes securing point of sale systems, managing risk, and performing third-party vendor assessments. He is well versed with compliance standards and regulations, including those associated with the payment card industry (PCI DSS) and the health care industry (HIPAA/HITECH, HITRUST CSF). Eric has been in the information security field for 13 years and excels at providing a diverse skillset to any project. Eric holds a Bachelor of Science degree in Network Security and a Master of Science degree in Information Security and Assurance. He is a Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Payment Card Industry Qualified Security Assessor (QSA), Certified Ethical Hacker (CEH) and Certified Hacking Forensic Investigator (CHFI), and possesses a variety of certifications from CompTIA, Microsoft and Cisco.