Cisco eliminated two dangerous vulnerabilities affecting the update feature in the Cisco Industrial Network Director (IND) software package and the Cisco Unified Presence Platform Authorization Service (Cisco Unified CM IM & P Service, Cisco VCS, and Cisco Expressway).Cisco IND is a solution for managing industrial automation systems, and Cisco Unified Presence is a corporate platform that provides collection of information about the current state of customers’ availability and the ability to connect to customers in alternative ways.
The Cisco IND software contains a vulnerability (CVE-2019-1861) that allows an authorized attacker to execute code on devices with running vulnerable software. The problem related to incorrect verification of files uploaded to the application. The vulnerability affects Cisco IND versions up to 1.6.0.
The Cisco Unified Presence Solution is subject to a vulnerability (CVE-2019-1845), through which an unauthorized attacker can remotely initiate a denial of service during the authorization process of users on vulnerable servers.
The problem is caused by insufficient control in certain memory operations.
An attacker can exploit a bug by sending specially crafted Extensible Messaging and Presence Protocol (XMPP) authorization requests to a vulnerable system. A successful attack will result in an unexpected restart of the authentication service and the inability to log in.
Issue resolved in Cisco Expressway Series and Cisco TelePresence VCS X12.5.3 and later.
Currently, exploitation of the described above vulnerabilities have not been identified.