==================================================================== CERT-Renater Note d'Information No. 2024/VULN366 _____________________________________________________________________ DATE : 11/09/2024 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Cisco IOS XR Software, Multiple Cisco Products Web-Based Management Interface, Cisco Routed Passive Optical Network Controller. ===================================================================== https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-pak-mem-exhst-3ke9FeFy https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-priv-esc-CrG5vhCq https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nso-auth-bypass-QnTEesp https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-ponctlr-ci-OHcHmsFL https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-isis-xehpbVNe https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-l2services-2mvHdNuC https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-shellutil-HCb278wD https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-xml-tcpdos-ZEXvrU2S _____________________________________________________________________ Below is the list of Cisco Security Advisories published by Cisco PSIRT on 2024-September-11. The following PSIRT security advisories (6 High, 2 Medium) were published at 16:00 UTC today. Table of Contents: 1) Cisco IOS XR Software UDP Packet Memory Exhaustion Vulnerability - SIR: High 2) Cisco IOS XR Software CLI Privilege Escalation Vulnerability - SIR: High 3) Multiple Cisco Products Web-Based Management Interface Privilege Escalation Vulnerability - SIR: High 4) Cisco Routed Passive Optical Network Controller Vulnerabilities - SIR: High 5) Cisco IOS XR Software Segment Routing for Intermediate System-to-Intermediate System Denial of Service Vulnerability - SIR: High 6) Cisco IOS XR Software Network Convergence System Denial of Service Vulnerability - SIR: High 7) Cisco IOS XR Software CLI Arbitrary File Read Vulnerability - SIR: Medium 8) Cisco IOS XR Software Dedicated XML Agent TCP Denial of Service Vulnerability - SIR: Medium +-------------------------------------------------------------------- 1) Cisco IOS XR Software UDP Packet Memory Exhaustion Vulnerability CVE-2024-20304 SIR: High CVSS Score v(3.1): 8.6 URL: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-pak-mem-exhst-3ke9FeFy ["https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-pak-mem-exhst-3ke9FeFy"] +-------------------------------------------------------------------- 2) Cisco IOS XR Software CLI Privilege Escalation Vulnerability CVE-2024-20398 SIR: High CVSS Score v(3.1): 8.8 URL: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-priv-esc-CrG5vhCq ["https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-priv-esc-CrG5vhCq"] +-------------------------------------------------------------------- 3) Multiple Cisco Products Web-Based Management Interface Privilege Escalation Vulnerability CVE-2024-20381 SIR: High CVSS Score v(3.1): 8.8 URL: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nso-auth-bypass-QnTEesp ["https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nso-auth-bypass-QnTEesp"] +-------------------------------------------------------------------- 4) Cisco Routed Passive Optical Network Controller Vulnerabilities CVE-2024-20483, CVE-2024-20489 SIR: High CVSS Score v(3.1): 8.4 URL: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-ponctlr-ci-OHcHmsFL ["https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-ponctlr-ci-OHcHmsFL"] +-------------------------------------------------------------------- 5) Cisco IOS XR Software Segment Routing for Intermediate System-to-Intermediate System Denial of Service Vulnerability CVE-2024-20406 SIR: High CVSS Score v(3.1): 7.4 URL: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-isis-xehpbVNe ["https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-isis-xehpbVNe"] +-------------------------------------------------------------------- 6) Cisco IOS XR Software Network Convergence System Denial of Service Vulnerability CVE-2024-20317 SIR: High CVSS Score v(3.1): 7.4 URL: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-l2services-2mvHdNuC ["https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-l2services-2mvHdNuC"] +-------------------------------------------------------------------- 7) Cisco IOS XR Software CLI Arbitrary File Read Vulnerability CVE-2024-20343 SIR: Medium CVSS Score v(3.1): 5.5 URL: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-shellutil-HCb278wD ["https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-shellutil-HCb278wD"] +-------------------------------------------------------------------- 8) Cisco IOS XR Software Dedicated XML Agent TCP Denial of Service Vulnerability CVE-2024-20390 SIR: Medium CVSS Score v(3.1): 5.3 URL: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-xml-tcpdos-ZEXvrU2S ["https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-xml-tcpdos-ZEXvrU2S"] ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================