Monday, March 8, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Security

Cisco bug warning: Critical static password flaw in network appliances needs patching

August 23, 2020
in Internet Security
Cisco bug warning: Critical static password flaw in network appliances needs patching
585
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter

Cisco has disclosed a critical flaw affecting its ENCS 5400-W Series and CSP 5000-W Series appliances, which is due to their software containing user accounts with a default, static password.

During internal testing, Cisco discovered its Virtual Wide Area Application Services (vWAAS) with Cisco Enterprise NFV Infrastructure Software (NFVIS)-bundled images for the appliances have user accounts with the fixed password. 

You might also like

eSafety defends detail of Online Safety Bill as the ‘sausage that’s being made’

Maza Russian cybercriminal forum suffers data breach

Okta and Auth0: A $6.5 billion bet that identity will warrant its own cloud

NFVIS helps customers virtualize Cisco network services such as its Integrated Services Virtual Router, virtual WAN optimization, Virtual ASA, virtual Wireless LAN Controller, and Next-Generation Virtual Firewall. 

SEE: VPN: Picking a provider and troubleshooting tips (free PDF) (TechRepublic)

The default password means a remote attacker without credentials could log into the NFVIS command-line interface of a vulnerable device with administrator privileges.  

Customers with the affected appliances need to apply Cisco’s updates if the appliances are running vWAAS with NFVIS-bundled image releases 6.4.5, or 6.4.3d and earlier. 

There are no workarounds, so the update is the only way for customers to plug the flaw, which has a severity rating of 9.8 out of 10 and is being tracked as CVE-2020-3446.

Cisco lists four conditions under which an attacker could connect to the NFVIS CLI, depending on how customers have configured the device: 

  • The Ethernet management port for the CPU on an affected ENCS 5400-W Series appliance. This interface might be remotely accessible if a routed IP is configured.
  • The first port on the four-port I350 PCIe Ethernet Adapter card on an affected CSP 5000-W Series appliance. This interface might be remotely accessible if a routed IP is configured.
  • A connection to the vWAAS software CLI and a valid user credential to authenticate on the vWAAS CLI first.
  • A connection to the Cisco Integrated Management Controller (CIMC) interface of the ENCS 5400-W Series or CSP 5000-W Series appliance and a valid user credential to authenticate to the CIMC first.  

Cisco has also posted two more high-severity advisories that can be addressed by installing software updates it recently made available.

Multiple vulnerabilities affect Cisco’s Video Surveillance 8000 Series IP Cameras and may allow an unauthenticated attacker in the same broadcast domain as the vulnerable camera to knock it offline. 

The flaws reside in the Cisco Discovery Protocol, a Layer 2 or data link layer protocol in the Open Systems Interconnection (OSI) networking model.  

“An attacker could exploit these vulnerabilities by sending a malicious Cisco Discovery Protocol packet to the targeted IP camera,” explains Cisco in the advisory for the flaws CVE-2020-3506 and CVE-2020-3507.  

“A successful exploit could allow the attacker to execute code on the affected IP camera or cause it to reload unexpectedly, resulting in a denial-of-service (DoS) condition.”

The Cisco cameras are vulnerable if they are running a firmware version earlier than 1.0.9-4 and have the Cisco Discovery Protocol enabled. Again, customers need to apply Cisco’s update to protect the model because there’s no workaround. 

This bug was reported to Cisco by Qian Chen of Qihoo 360 Nirvan Team. However, Cisco notes it is not aware of any malicious activity using this vulnerability. 

The second high-severity advisory concerns a privilege-escalation flaw affecting the Cisco Smart Software Manager On-Prem or SSM On-Prem. It’s tracked as CVE-2020-3443 and has a severity score of 8.8 out of 10. 

SEE: Patch now: Cisco warns of nasty bug in its data center software

During internal testing, Cisco discovered that an authenticated, remote attacker could elevate their privileges and execute commands with higher privileges up to an administrative role, which would give the attacker full access to the device. 

The bug affects all Cisco SSM On-Prem releases earlier than version 8-202004. It also affects all 6.x Cisco Smart Software Manager satellite releases. These are the same products.

Customers need to install Cisco’s updates since there is no workaround available. 

At the same time as patching the critical and high-severity flaws, the company has also issued fixes for a further 21 medium-severity vulnerabilities.

More on Cisco and network security

  • Cisco alert: Four high-severity flaws in routers, switches and AnyConnect VPN for Windows  
  • Patch now: Cisco warns of nasty bug in its data center software  
  • Cisco’s warning: Critical flaw in IOS routers allows ‘complete system compromise’  
  • Cisco warns: These Nexus switches have been hit by a serious security flaw  
  • Cisco: Critical Java flaw strikes ‘call center in a box’, patch urgently  
  • Cisco: These 12 high-severity bugs in ASA and Firepower security software need patching  
  • Cisco critical bug: Static password in Smart Software Manager – patch now, says Cisco  
  • Cisco: Patch this critical firewall bug in Firepower Management Center  
  • Critical Cisco DCNM flaws: Patch right now as PoC exploits are released  
  • Cisco critical bugs: Nexus data center switch software needs patching now  
  • Cisco: All these routers have the same embedded crypto keys, so update firmware  
  • Cisco: These Wi-Fi access points are easily owned by remote hackers, so patch now  
  • Cisco warning: These routers running IOS have 9.9/10-severity security flaw
  • Patch now: Cisco IOS XE routers exposed to rare 10/10-severity security flaw  
  • Seriously? Cisco put Huawei X.509 certificates and keys into its own switches
  • How to improve cybersecurity for your business: 6 tips TechRepublic
  • New cybersecurity tool lets companies Google their systems for hackers CNET
  • Credit: Zdnet

    Previous Post

    It's tempting to think that GP3 will solve all NLP problems but it does not

    Next Post

    Cloud Machine Learning Market 2020: Potential Growth, Challenges, and Know the Companies List Could Potentially Benefit or Loose out From the Impact of COVID-19 | Key Players: Amazon, Oracle Corporation, IBM, Microsoft Corporation, Google Inc., etc.

    Related Posts

    Bill establishing cyber abuse takedown scheme for adults enters Parliament
    Internet Security

    eSafety defends detail of Online Safety Bill as the ‘sausage that’s being made’

    March 8, 2021
    Maza Russian cybercriminal forum suffers data breach
    Internet Security

    Maza Russian cybercriminal forum suffers data breach

    March 7, 2021
    Okta and Auth0: A $6.5 billion bet that identity will warrant its own cloud
    Internet Security

    Okta and Auth0: A $6.5 billion bet that identity will warrant its own cloud

    March 7, 2021
    CISA issues emergency directive to agencies: Deal with Microsoft Exchange zero-days now
    Internet Security

    CISA issues emergency directive to agencies: Deal with Microsoft Exchange zero-days now

    March 7, 2021
    Linux distributions: All the talent and hard work that goes into building a good one
    Internet Security

    Linux distributions: All the talent and hard work that goes into building a good one

    March 7, 2021
    Next Post
    Global Cloud Machine Learning Market Would Grow Significant CAGR by 2026 | COVID19 Impact Analysis | Key Players: Amazon, Oracle Corporation, IBM, Microsoft Corporation, Google Inc., etc.

    Cloud Machine Learning Market 2020: Potential Growth, Challenges, and Know the Companies List Could Potentially Benefit or Loose out From the Impact of COVID-19 | Key Players: Amazon, Oracle Corporation, IBM, Microsoft Corporation, Google Inc., etc.

    Leave a Reply Cancel reply

    Your email address will not be published. Required fields are marked *

    Recommended

    Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

    Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

    January 6, 2019
    Microsoft, Google Use Artificial Intelligence to Fight Hackers

    Microsoft, Google Use Artificial Intelligence to Fight Hackers

    January 6, 2019

    Categories

    • Artificial Intelligence
    • Big Data
    • Blockchain
    • Crypto News
    • Data Science
    • Digital Marketing
    • Internet Privacy
    • Internet Security
    • Learn to Code
    • Machine Learning
    • Marketing Technology
    • Neural Networks
    • Technology Companies

    Don't miss it

    Bill establishing cyber abuse takedown scheme for adults enters Parliament
    Internet Security

    eSafety defends detail of Online Safety Bill as the ‘sausage that’s being made’

    March 8, 2021
    An Easy Way to Solve Complex Optimization Problems in Machine Learning
    Data Science

    An Easy Way to Solve Complex Optimization Problems in Machine Learning

    March 8, 2021
    Machine Learning Patentability In 2019: 5 Cases Analyzed And Lessons Learned Part 4 – Intellectual Property
    Machine Learning

    Podcast: Non-Binding Guidance: FDA Regulatory Developments In AI And Machine Learning – Food, Drugs, Healthcare, Life Sciences

    March 8, 2021
    Here’s an adorable factory game about machine learning and cats
    Machine Learning

    Here’s an adorable factory game about machine learning and cats

    March 8, 2021
    How Machine Learning Is Changing Influencer Marketing
    Machine Learning

    How Machine Learning Is Changing Influencer Marketing

    March 8, 2021
    Video Highlights: Deep Learning for Probabilistic Time Series Forecasting
    Machine Learning

    Video Highlights: Deep Learning for Probabilistic Time Series Forecasting

    March 7, 2021
    NikolaNews

    NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

    What’s New Here?

    • eSafety defends detail of Online Safety Bill as the ‘sausage that’s being made’ March 8, 2021
    • An Easy Way to Solve Complex Optimization Problems in Machine Learning March 8, 2021
    • Podcast: Non-Binding Guidance: FDA Regulatory Developments In AI And Machine Learning – Food, Drugs, Healthcare, Life Sciences March 8, 2021
    • Here’s an adorable factory game about machine learning and cats March 8, 2021

    Subscribe to get more!

    © 2019 NikolaNews.com - Global Tech Updates

    No Result
    View All Result
    • AI Development
      • Artificial Intelligence
      • Machine Learning
      • Neural Networks
      • Learn to Code
    • Data
      • Blockchain
      • Big Data
      • Data Science
    • IT Security
      • Internet Privacy
      • Internet Security
    • Marketing
      • Digital Marketing
      • Marketing Technology
    • Technology Companies
    • Crypto News

    © 2019 NikolaNews.com - Global Tech Updates