This article is more than 1 year old

Cisco SOHO switches patched for SOHOpeless vuln

Buggy defaults in SNMP

This week's Cisco patch round includes a critical vuln in the kind of product least likely to get patched – a small business Ethernet switch.

The Small Business 220 Series Smart Plus switches ship with a hard-coded SNMP community string, which means if it's visible to the Internet, a remote attacker can access its SNMP objects.

While Cisco rates the vulnerability as critical, it also notes that SNMP is off by default on the devices; it's only if the management protocol is turned on that the devices are vulnerable.

It's present on switches running firmware release 1.0.0.17, 1.0.0.18, and 1.0.0.19; new firmware is available.

The same switches also have issues in their Web interface: a cross-site request forgery bug; a cross-site scripting issue; and a denial-of-service vulnerability.

WebEx Meetings Player can be crashed by a remote attacker – in the author's experience it can be crashed just by trying to join a meeting, but whatever – and a new version is available.

There are also a couple of minor DoS vulnerabilities in Switchzilla's wireless LAN controller software. ®

More about

TIP US OFF

Send us news


Other stories you might like