Data Centre

Networks

Poison ping pong prompts patch from Cisco

Switchzilla has fixes for appliances, voice portal, Nexus switch OS

By Richard Chirgwin

SHARE

Cisco admins, it's your weekly patch notice.

The patch that gave us our headline is in NX-OS software, which is vulnerable to malicious pong (response to ping) packets.

If the pong packet tries to egress both a FabricPath port and a non-FabricPath port, the software tries to free the same area of memory twice. “An exploit could allow the attacker to cause a dual or quad supervisor virtual port-channel (vPC) to reload,” Cisco's advised.

Exploitation would need a relatively unlikely scenario, however, since Pong is disabled by default, as is FabricPath, and the FabricPath port has to be under monitoring by a SPAN (switched port analyser) session.

Users of the Adaptive Security Appliance or the Content Security Management Appliance need to run in a fix to plug a privilege escalation bug in the Web management console.

An authenticated local attacker can push themselves from guest up to root, by firing a set of malicious commands at the command line interface.

The software in question is the AsyncOS Software for ESA and Content SMA, for both virtual and hardware appliances.

Cisco's Unified Customer Voice Portal (CVP) and its NX-OS Nexus switch operating system software both have upgrades to plug denial-of-service vulnerabilities.

CVP's issue concerns its method of handling SIP traffic: a targeted appliance can be crashed by malformed SIP INVITE traffic. The issue affects Cisco Unified CVP running software releases prior to 11.6(1). ®

Sign up to our NewsletterGet IT in your inbox daily

Post a comment

More from The Register

Using Microsoft's Dynamics 365 Finance and Operations? Using Skype? Not for long!

Upcoming update could bork on-prem logins, warns Redmond

Microsoft takes a pruning axe to Skype's forest of features

Say farewell to Highlights ... if you even noticed it was there

Guys, you need to sit down and have a chat: Skype rolls out SMS a week after Microsoft

Updated Skype also does MMS. Your Phone also does photos. Neither talks to iOS

Microsoft gets ready to kill Skype Classic once again: 'This time we mean it'

Remember remember the first of November

Skype can now record your 'special moments' in front of the computer

Except that one. Nobody wants that kept for posterity

Skype Classic headed for the chopping block on September 1

You will learn to love version 8, whether you like it or not

America-China tariff tiff could flip the switch on Cisco price hikes

Chief exec warns Prez Trump's proposed soaring import charges will hit biz, customers

Still using Skype? Good news! After HOURS of meetings, Microsoft reckons it knows when you're Not Active

Plus: New passive aggressive 'Quiet Mode'

Cisco patches yet another Data Centre Network Manager vuln

Good news is that it was just a proof of concept... we hope

Skype for Biz users: Go watch nature vids. Microsoft wants you to get good at migration

New roadmap for Teams does everything but name Skype's death date