Data Centre

Networks

Poison ping pong prompts patch from Cisco

Switchzilla has fixes for appliances, voice portal, Nexus switch OS

By Richard Chirgwin

SHARE

Cisco admins, it's your weekly patch notice.

The patch that gave us our headline is in NX-OS software, which is vulnerable to malicious pong (response to ping) packets.

If the pong packet tries to egress both a FabricPath port and a non-FabricPath port, the software tries to free the same area of memory twice. “An exploit could allow the attacker to cause a dual or quad supervisor virtual port-channel (vPC) to reload,” Cisco's advised.

Exploitation would need a relatively unlikely scenario, however, since Pong is disabled by default, as is FabricPath, and the FabricPath port has to be under monitoring by a SPAN (switched port analyser) session.

Users of the Adaptive Security Appliance or the Content Security Management Appliance need to run in a fix to plug a privilege escalation bug in the Web management console.

An authenticated local attacker can push themselves from guest up to root, by firing a set of malicious commands at the command line interface.

The software in question is the AsyncOS Software for ESA and Content SMA, for both virtual and hardware appliances.

Cisco's Unified Customer Voice Portal (CVP) and its NX-OS Nexus switch operating system software both have upgrades to plug denial-of-service vulnerabilities.

CVP's issue concerns its method of handling SIP traffic: a targeted appliance can be crashed by malformed SIP INVITE traffic. The issue affects Cisco Unified CVP running software releases prior to 11.6(1). ®

Sign up to our NewsletterGet IT in your inbox daily

Post a comment

More from The Register

Can't unlock an Android phone? No problem, just take a Skype call: App allows passcode bypass

Neat trick for spying spouses, bad bosses, other miscreants with hands on your mobe. A fix is available

Using Microsoft's Dynamics 365 Finance and Operations? Using Skype? Not for long!

Upcoming update could bork on-prem logins, warns Redmond

Microsoft takes a pruning axe to Skype's forest of features

Say farewell to Highlights ... if you even noticed it was there

In memoriam: See you in Valhalla, Skype Classic. Version 8 can never replace you

Microsoft hammers the final nail into 7's coffin

Guys, you need to sit down and have a chat: Skype rolls out SMS a week after Microsoft

Updated Skype also does MMS. Your Phone also does photos. Neither talks to iOS

Microsoft gets ready to kill Skype Classic once again: 'This time we mean it'

Remember remember the first of November

Microsoft dropkicks Cortana with Skype functionality on Alexa

Plus: Cloud file-sharing on desktop and mobile clients

Apache Hadoop spins cracking code injection vulnerability YARN

Loose .zips sink chips 2: Electric Boogaloo

Skype can now record your 'special moments' in front of the computer

Except that one. Nobody wants that kept for posterity

Skype Classic headed for the chopping block on September 1

You will learn to love version 8, whether you like it or not