Both Cisco and Adobe have earlier this week released patches for vulnerabilities to their products
Cisco wireless VPN and router related products updates
Cisco dealt with CVE-2019-1663, a 9.8 CVSS scored flaw found in its wireless routers on selected models. The vulnerability allowed hackers to execute malicious codes on impacted device models remotely. Consequences of exploitation were detrimental to users of the device. For example, a hacker could gain access to users’ network effectively compromising it. The web-based management interface router models affected were:
1. Cisco RV110W Wireless-N VPN Firewall. Version 1.2.2.1 now has patch releases.
2. Cisco RV130W Wireless-N Multifunction VPN Router. Version 1.0.3.45 now has patches released.
3. RV215W Wireless-N VPN Router. Version 1.3.1.1 now has patches released.
Yu Zhang and Haoliang Lu of GeekPwn and T. of Pen Test Partners LLP, who discovered the flaw, found that a hacker could execute arbitrary code on the operating system of the devices, sending malicious HTTP requests as a privileged user. This was either through a LAN or remotely.
Adobe ColdFusion priority 1 patches released
Adobe, on the other hand, released updates to patch the recently found ColdFusion zero-day vulnerability known as CVE-2019-7816. Researchers Charlie Arehart, Moshe Ruzin, Josh Ford, Jason Solarek and Bridge Catalog Team discovered the vulnerability. Rated by Adobe as critical, it was exploited in the wild. Similarly to Cisco, it allowed for malicious codes to execute via an HTTP request to a web-accessible directory, bypassing initial file upload restrictions. The flaw existed because of the lack of validation processes of user-supplied input.
The following products were affected and consequently received patches:
1. ColdFusion 2018, version 2 and earlier
2. ColdFusion 2016, version 9 and earlier; and
3. ColdFusion 11, version 17 and earlier
ColdFusion, a development programme used to connect HTML pages to a database, further requires application of security configuration settings. Additionally, Adobe advised customers to review the Lockdown guides for each affected ColdFusion.
