Cisco SOHO switches patched for SOHOpeless vuln
Buggy defaults in SNMP
This week's Cisco patch round includes a critical vuln in the kind of product least likely to get patched – a small business Ethernet switch.
The Small Business 220 Series Smart Plus switches ship with a hard-coded SNMP community string, which means if it's visible to the Internet, a remote attacker can access its SNMP objects.
While Cisco rates the vulnerability as critical, it also notes that SNMP is off by default on the devices; it's only if the management protocol is turned on that the devices are vulnerable.
It's present on switches running firmware release 184.108.40.206, 220.127.116.11, and 18.104.22.168; new firmware is available.
WebEx Meetings Player can be crashed by a remote attacker – in the author's experience it can be crashed just by trying to join a meeting, but whatever – and a new version is available.