Cisco patch day fixes CGI script blunder, hard-coded credentials
Good news for Meraki users, firmware flub fixed
If you've got a Cisco Unified Computing System or a Firepower 9000 Series appliance, get busy patching.
The Borg says it slipped up and let a CGI script make unprotected calls to shell commands. By fooling around with the URL, an attacker would be able to send arbitrary commands to the affected kit.
All versions of UCS Manager prior to 2.2(4b), 2.2(5a) and 3.0(2e) are vulnerable, as is Firepower 9000 Series software prior to 1.1.2.
Over in the multimedia business, users of the company's D9036 multimedia encoding platform also need to pick up a firmware upgrade, because Cisco devs built the firmware with a static password for both the root account and the guest account.
Not all patches are bad: Cisco's Meraki business unit has shipped a patch to a patch, after a firmware fix borked users' speed settings on its Z1 telecommuter gateway.
The issue got pretty hot on Reddit for a while. Users found that after a firmware upgrade, a speed setting on the Z1's management interface was limited to 50 Mbps, where formerly it went all the way to 200 Mbps (Vulture South, whose ADSL needs good weather and a deep breath to hit 5 Mbps, cried a little to read this).
The change left users fearful that the company was about to implement bandwidth-based licensing, but that turned out not to be the case.
The company confirmed yesterday that the change to the Z1 management UI was a simple error. Its latest Reddit post states:
"We have confirmed that this UI limitation was introduced for a subset of Z1 networks during the course of fixing another issue. The Cisco Meraki development team has resolved the issue, and anyone affected can increase their configured WAN bandwidth back to its desired value.
"While we do not recommend exceeding the officially supported throughput on the Z1, we recognize that as a telecommuter device the Z1 is deployed in a variety of ways, some of which may well allow customers to achieve significantly higher speeds than those we publish. We have no intention of preventing anyone from doing so." ®