Thursday, February 25, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Security

Cisco’s warning: Critical flaw in IOS routers allows ‘complete system compromise’

June 4, 2020
in Internet Security
Cisco’s warning: Critical flaw in IOS routers allows ‘complete system compromise’
586
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter

Cisco has disclosed four critical security flaws affecting router equipment that uses its IOS XE and IOS software. 

The four critical flaws are part of Cisco’s June 3 semi-annual advisory bundle for IOS XE and IOS networking software, which includes 23 advisories describing 25 vulnerabilities. 

You might also like

Ukraine reports cyber-attack on government document management system

More than 6,700 VMware servers exposed online and vulnerable to major new bug

Google funds Linux kernel developers to work exclusively on security

The 9.8 out of 10 severity bug, CVE-2020-3227, concerns the authorization controls for the Cisco IOx application hosting infrastructure in Cisco IOS XE Software, which allows a remote attacker without credentials to execute Cisco IOx API commands without proper authorization. 

SEE: IoT: Major threats and security tips for devices (free PDF)

IOx mishandles requests for authorization tokens, allowing an attacker to exploit the flaw with a specially crafted API call to request the token and then execute Cisco IOx API commands on the device, according Cisco. 

Cisco has also published two more advisories covering three critical IOS flaws affecting its industrial routers. 

CVE-2020-3205 is a command-injection vulnerability in Cisco’s implementation of the inter-VM channel of Cisco IOS Software for Cisco 809 and 829 Industrial Integrated Services Routers (Industrial ISRs) and Cisco 1000 Series Connected Grid Routers (CGR1000). 

The software doesn’t adequately validate signaling packets directed to the Virtual Device Server (VDS), which could allow an attacker to send malicious packets to an affected device, gain control of VDS and then completely compromise the system, including the IOS VM and guest VM. 

VDS handles access to devices that are shared by IOS and the guest OS, such as flash memory, USB ports, and the console. 

“A successful exploit could allow the attacker to execute arbitrary commands in the context of the Linux shell of VDS with the privileges of the root user,” Cisco said. 

“Because the device is designed on a hypervisor architecture, exploitation of a vulnerability that affects the inter-VM channel may lead to a complete system compromise.”

CVE-2020-3198 and CVE-2020-3258 are part of the same advisory and concern a remote code execution vulnerability in the same industrial Cisco routers. 

Cisco describes its 800 Series of industrial routers as highly secure compact devices designed for harsh environments, with applications ranging from overseeing IoT gateway tasks in distribution automation, pipeline and road monitoring, fleet management and mass transport.

The flaw CVE-2020-3198 allows an unauthenticated, remote attacker to execute arbitrary code on affected systems or cause it to crash and reload. 

An attacker could exploit the vulnerability by sending malicious UDP packets over IPv4 or IPv6 to an affected device. Cisco notes that the bug can be mitigated by implementing an access control list that restricts inbound traffic to UDP port 9700 of the device. It has a severity score of 9.8 out of 10. 

“The vulnerability is due to incorrect bounds checking of certain values in packets that are destined for UDP port 9700 of an affected device,” Cisco said. 

“An attacker could exploit this vulnerability by sending malicious packets to an affected device. When the packets are processed, an exploitable buffer overflow condition may occur. A successful exploit could allow the attacker to remotely execute code in the context of the Cisco IOS Software VM that is running on an affected system or cause an affected device to reload.”

SEE: Cisco warns: These Nexus switches have been hit by a serious security flaw

The second bug, CVE-2020-3258, is less severe with a score of 5.7 out of 10 and could allow an unauthenticated local attacker to execute arbitrary code on the device. However, the attacker also must have valid user credentials at privilege level 15, the highest level in Cisco’s scheme. 

The vulnerability allows an attacker to modify the device’s run-time memory, overwrite system memory locations and execute arbitrary code on the affected device. 

All four bugs were found by Cisco’s penetration testing squad, the Cisco Advanced Security Initiatives Group. 

More on Cisco and network security

  • Cisco warns: These Nexus switches have been hit by a serious security flaw  
  • Cisco: Critical Java flaw strikes ‘call center in a box’, patch urgently  
  • Cisco: These 12 high-severity bugs in ASA and Firepower security software need patching  
  • Cisco critical bug: Static password in Smart Software Manager – patch now, says Cisco  
  • Cisco: Patch this critical firewall bug in Firepower Management Center  
  • Critical Cisco DCNM flaws: Patch right now as PoC exploits are released  
  • Cisco critical bugs: Nexus data center switch software needs patching now  
  • Cisco: All these routers have the same embedded crypto keys, so update firmware  
  • Cisco: These Wi-Fi access points are easily owned by remote hackers, so patch now  
  • Cisco warning: These routers running IOS have 9.9/10-severity security flaw
  • Patch now: Cisco IOS XE routers exposed to rare 10/10-severity security flaw  
  • Seriously? Cisco put Huawei X.509 certificates and keys into its own switches
  • How to improve cybersecurity for your business: 6 tips TechRepublic
  • New cybersecurity tool lets companies Google their systems for hackers CNET
  • Credit: Zdnet

    Previous Post

    New USBCulprit Espionage Tool Steals Data From Air-Gapped Computers

    Next Post

    H2O.ai And Snowflake Integration Accelerates Enterprise AI Adoption | News

    Related Posts

    Ukraine reports cyber-attack on government document management system
    Internet Security

    Ukraine reports cyber-attack on government document management system

    February 25, 2021
    More than 6,700 VMware servers exposed online and vulnerable to major new bug
    Internet Security

    More than 6,700 VMware servers exposed online and vulnerable to major new bug

    February 25, 2021
    Google funds Linux kernel developers to work exclusively on security
    Internet Security

    Google funds Linux kernel developers to work exclusively on security

    February 25, 2021
    Want to pass on your old PCs to good causes? Here’s how to do it while staying secure
    Internet Security

    Want to pass on your old PCs to good causes? Here’s how to do it while staying secure

    February 24, 2021
    Red Hat closes StackRox Kubernetes security acquisition
    Internet Security

    Red Hat closes StackRox Kubernetes security acquisition

    February 24, 2021
    Next Post
    H2O.ai And Snowflake Integration Accelerates Enterprise AI Adoption | News

    H2O.ai And Snowflake Integration Accelerates Enterprise AI Adoption | News

    Leave a Reply Cancel reply

    Your email address will not be published. Required fields are marked *

    Recommended

    Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

    Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

    January 6, 2019
    Microsoft, Google Use Artificial Intelligence to Fight Hackers

    Microsoft, Google Use Artificial Intelligence to Fight Hackers

    January 6, 2019

    Categories

    • Artificial Intelligence
    • Big Data
    • Blockchain
    • Crypto News
    • Data Science
    • Digital Marketing
    • Internet Privacy
    • Internet Security
    • Learn to Code
    • Machine Learning
    • Marketing Technology
    • Neural Networks
    • Technology Companies

    Don't miss it

    Ukraine reports cyber-attack on government document management system
    Internet Security

    Ukraine reports cyber-attack on government document management system

    February 25, 2021
    KPMG, BitGo, and Coin Metrics launch combined offering for public blockchains
    Blockchain

    KPMG, BitGo, and Coin Metrics launch combined offering for public blockchains

    February 25, 2021
    IBM Reportedly Retreating from Healthcare with Watson 
    Artificial Intelligence

    IBM Reportedly Retreating from Healthcare with Watson 

    February 25, 2021
    Using machine learning to identify blood biomarkers for early diagnosis of autism
    Machine Learning

    Using machine learning to identify blood biomarkers for early diagnosis of autism

    February 25, 2021
    Label a Dataset with a Few Lines of Code | by Eric Landau | Jan, 2021
    Neural Networks

    Label a Dataset with a Few Lines of Code | by Eric Landau | Jan, 2021

    February 25, 2021
    How to Identify and Prioritize Marketing Ideas
    Marketing Technology

    How to Identify and Prioritize Marketing Ideas

    February 25, 2021
    NikolaNews

    NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

    What’s New Here?

    • Ukraine reports cyber-attack on government document management system February 25, 2021
    • KPMG, BitGo, and Coin Metrics launch combined offering for public blockchains February 25, 2021
    • IBM Reportedly Retreating from Healthcare with Watson  February 25, 2021
    • Using machine learning to identify blood biomarkers for early diagnosis of autism February 25, 2021

    Subscribe to get more!

    © 2019 NikolaNews.com - Global Tech Updates

    No Result
    View All Result
    • AI Development
      • Artificial Intelligence
      • Machine Learning
      • Neural Networks
      • Learn to Code
    • Data
      • Blockchain
      • Big Data
      • Data Science
    • IT Security
      • Internet Privacy
      • Internet Security
    • Marketing
      • Digital Marketing
      • Marketing Technology
    • Technology Companies
    • Crypto News

    © 2019 NikolaNews.com - Global Tech Updates