Cisco has released updates fixing multiple critical vulnerabilities in Cisco Policy Suite and Cisco Catalyst PON Series Switches Optical Network Terminal.

Successful exploitation of the vulnerabilities may lead to Remote Code Execution and Full System Compromise.

The Vulnerabilities

• CVE-2021-40119(CVSS 3.1: 9.8, Critical)

A vulnerability in the key-based SSH authentication mechanism of Cisco Policy Suite could allow an unauthenticated, remote attacker to log in to an affected system as the root user.

• CVE-2021-34795, CVE-2021-40112,CVE-2021-40113 (CVSS 3.1: 10.0, Critical)

Multiple vulnerabilities in the web-based management interface of the Cisco Catalyst Passive Optical Network (PON) Series Switches Optical Network Terminal (ONT) could allow an unauthenticated, remote attacker to perform command injections, modify the configuration and log in with a default credential if the Telnet protocol is enabled.

Affected Products

• Cisco Policy Suite versions prior to 21.2.0.
• Cisco Catalyst PON Switches:
  • CGP-ONT-1P, prior to version 1.1.1.14.
  • CGP-ONT-4P, prior to version 1.1.3.17.
  • CGP-ONT-4PV, prior to version 1.1.3.17.
  • CGP-ONT-4PVC, prior to version 1.1.3.17.
  • CGP-ONT-4TVCW, prior to version 1.1.3.17.

Mitigation

To mitigate the vulnerabilities, please follow the steps of the original advisories linked below, per the relevant product and version:

• Cisco Policy Suite
• Cisco Catalyst PON Series Switches Optical Network Terminal

There are no Workarounds available.

References: Cisco Security Advisories