Feeds

Flaws leave Cisco content switches vulnerable

Upgrade for DoS bug, but access flaw workaround only

  • alert
  • submit to reddit

Build a business case: developing custom apps

Cisco has issued a security notice which admits to two security vulnerabilities affecting its range of high-end content switches, one of which remains unfixed.

The firm said that its Cisco Content Services (CSS) switch product, also known as Arrowpoint, has several security flaws once access to the command line interface is granted.

The first problem means a temporary denial of service can be launched against the switch by an unprivileged user, who can input commands that can cause the device to continuously reboot. A separate bug means that a user without administrator privileges can view filenames and file contents.

Among the products affected by the vulnerabilities are Cisco CSS 11050, CSS 11150, and CSS 11800 boxes, which run Cisco WebNS software. No other Cisco products are affected.

These devices are used by very large firms and service providers to manage Internet traffic flowing into web server farms, providing better reliability and resilience by distributing workloads across many servers, which can be a complex process.

Deri Jones, of security testers NTA Monitor, said the issue is potential serious because only companies with deep pockets, and whose Internet presence is vital, would shell out for the Arrowpoint kit, and so "denials of service would almost certainly mean a big loss if they occur.

"The flaw itself, of having users with some level of privilege but not full privilege - but who are found to be able to do more than was intended, is a recurring theme in security problems," he said.

Users can protect themselves against a possible denial of service attack by upgrading to either 4.01(12s), and revision 3.10 (71s) of Cisco WebNS software. Cisco is working on a fix for the authorised access problem, and in the meantime is advising users to apply access control lists or restrict access through the firewall to the device's management interface.

The flaws came to light during a security audit of one of Cisco's customers, but the networking giant has stated that so far it is not aware of any malicious exploitation of the vulnerabilities. ®

External link

Cisco's security notice

Boost IT visibility and business value

More from The Register

next story
Sysadmin Day 2014: Quick, there's still time to get the beers in
He walked over the broken glass, killed the thugs... and er... reconnected the cables*
Auntie remains MYSTIFIED by that weekend BBC iPlayer and website outage
Still doing 'forensics' on the caching layer – Beeb digi wonk
VVOL update: Are any vendors NOT leaping into bed with VMware?
It's not yet been released but everyone thinks it's the dog's danglies
BlackBerry: Toss the server, mate... BES is in the CLOUD now
BlackBerry Enterprise Services takes aim at SMEs - but there's a catch
SHOCK and AWS: The fall of Amazon's deflationary cloud
Just as Jeff Bezos did to books and CDs, Amazon's rivals are now doing to it
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.