Data Centre


Poison ping pong prompts patch from Cisco

Switchzilla has fixes for appliances, voice portal, Nexus switch OS

By Richard Chirgwin


Cisco admins, it's your weekly patch notice.

The patch that gave us our headline is in NX-OS software, which is vulnerable to malicious pong (response to ping) packets.

If the pong packet tries to egress both a FabricPath port and a non-FabricPath port, the software tries to free the same area of memory twice. “An exploit could allow the attacker to cause a dual or quad supervisor virtual port-channel (vPC) to reload,” Cisco's advised.

Exploitation would need a relatively unlikely scenario, however, since Pong is disabled by default, as is FabricPath, and the FabricPath port has to be under monitoring by a SPAN (switched port analyser) session.

Users of the Adaptive Security Appliance or the Content Security Management Appliance need to run in a fix to plug a privilege escalation bug in the Web management console.

An authenticated local attacker can push themselves from guest up to root, by firing a set of malicious commands at the command line interface.

The software in question is the AsyncOS Software for ESA and Content SMA, for both virtual and hardware appliances.

Cisco's Unified Customer Voice Portal (CVP) and its NX-OS Nexus switch operating system software both have upgrades to plug denial-of-service vulnerabilities.

CVP's issue concerns its method of handling SIP traffic: a targeted appliance can be crashed by malformed SIP INVITE traffic. The issue affects Cisco Unified CVP running software releases prior to 11.6(1). ®

Sign up to our NewsletterGet IT in your inbox daily

Post a comment

More from The Register

Skype Classic headed for the chopping block on September 1

You will learn to love version 8, whether you like it or not

Skype for Biz users: Go watch nature vids. Microsoft wants you to get good at migration

New roadmap for Teams does everything but name Skype's death date

Even Microsoft's lost interest in Windows Phone: Skype and Yammer apps killed

Use iOS or Android, says Redmond, as telephony APIs sprout in Windows

Skype for Business has nasty habit of closing down… for business

It's not just you, VoIP app is prone to failures

Cisco opens its network automation system to the unwashed masses

Wants to move into the application business

That terrifying 'unfixable' Microsoft Skype security flaw: THE TRUTH

Oh yeah, we patched that in October, Windows giant yawns

Cisco snags potential customer-sniffing biz for an undisclosed sum

OEM partner July Systems' tech tracks in-store punters by Wi-Fi

Cisco launches direct sales site for SMBs

Chillax, partners, and buyers beware - this modest first effort is no Amazon or NewEgg

Cisco CEO Chuck Robbins preaches the cloud, but nothing new

Cisco Live Switchzilla's annual gabfest goes over old ground on day one

Cisco joins Microsoft and flings out Skype-friendly collab app

Can't use your favourite OTT voice app? FTFY