Data Centre


Telnet, SSH prod of death smashes Cisco broadband boxes offline

Plus: Login into a stranger's Cisco Meeting account and chat away as them

By Shaun Nichols in San Francisco


Cisco has issued six software updates to address security vulnerabilities in its networking products, ranging from denial of service conditions to authentication bypasses.

The most serious of the flaws is the authentication bypass hole in the Cisco Meeting Server. Cisco warns that, due to improper handling of XMPP messaging, a remote unauthenticated attacker could exploit the vulnerability to gain access to another user's account, and log in to the server with their permissions and chat away as them. The vulnerability, which is exposed in Meeting Server versions 2.0.6 and earlier with XMPP enabled, has been rated as a "critical" risk.

On the Unified Communications Manager (UCM) platform, a patch has been issued to address poor handing of iframe code that potentially allows an attacker to re-route user traffic for clickjacking or phishing attacks.

For companies running Wide Area Application Services (WAAS), Cisco has posted an update to address a denial of service vulnerability in the WAN platform. An attacker can exploit the flaw by flooding the vulnerable appliances with SSL traffic, thanks to a lack of file size limits.

The Cisco cBR-8 Converged Broadband Routers have been found to contain a flaw that allows an attacker to disrupt connections by constantly pinging the router with Telnet and SSH connection requests.

Those who use the Cisco Prime Infrastructure and Evolved Programmable Network Manager for SQL will want to patch up a SQL injection flaw that allowed an attacker to use SQL queries to access stored data or trigger a denial of service.

The Cisco Finesse Agent remote administration software has been updated with a fix for a cross-site request forgery. Should an attack exploit the flaw via a malicious link, the attacker would have access to the target system with the current user's permissions.

Cisco says it is not aware of any attacks in the wild targeting any of the patched vulnerabilities. ®

Sign up to our NewsletterGet IT in your inbox daily

1 Comment

More from The Register

Cisco patches yet another Data Centre Network Manager vuln

Good news is that it was just a proof of concept... we hope

The weekend starts here... right after you've installed these critical Cisco bug patches

Coding screwups for Prime Infrastructure and DNA Center admins to slurp up

Cisco patches IOS in response to boffins' IKE-busting breakthrough

Switchzilla issues update for authentication bypass flaw

Cisco to release patches for Meltdown, Spectre CPU vulns, just in case

Switchzilla is investigating a whole bunch of products

Telco IT admins on red alert as Cisco flings out patches for security holes in policy toolkit

Twenty-five bugs writhing on the netops floor this week

Cisco coughs up baker's dozen of vulns and other security nasties

Get patching – except for the ones where you, er, can't

IEEE joins the ranks of non-backdoored strong cryptography defenders

'Exceptional access' is a really bad idea, says standards-setter, but one-off malware is cool

New era for Japan, familiar problems: Microsoft withdraws crash-tastic patches

Upcoming calendar change more than Office can handle

Cisco loses focus over TelePresence blurry videoconferencing bug

You had one job, Precision 40

Dell EMC patches 3 zero-days in Data Protection Suite

Could combine to 'fully compromise' virtual appliance, researchers warn