Poison ping pong prompts patch from Cisco

Switchzilla has fixes for appliances, voice portal, Nexus switch OS

By Richard Chirgwin

Posted in Networks, 18th January 2018 02:59 GMT

Cisco admins, it's your weekly patch notice.

The patch that gave us our headline is in NX-OS software, which is vulnerable to malicious pong (response to ping) packets.

If the pong packet tries to egress both a FabricPath port and a non-FabricPath port, the software tries to free the same area of memory twice. “An exploit could allow the attacker to cause a dual or quad supervisor virtual port-channel (vPC) to reload,” Cisco's advised.

Exploitation would need a relatively unlikely scenario, however, since Pong is disabled by default, as is FabricPath, and the FabricPath port has to be under monitoring by a SPAN (switched port analyser) session.

Users of the Adaptive Security Appliance or the Content Security Management Appliance need to run in a fix to plug a privilege escalation bug in the Web management console.

An authenticated local attacker can push themselves from guest up to root, by firing a set of malicious commands at the command line interface.

The software in question is the AsyncOS Software for ESA and Content SMA, for both virtual and hardware appliances.

Cisco's Unified Customer Voice Portal (CVP) and its NX-OS Nexus switch operating system software both have upgrades to plug denial-of-service vulnerabilities.

CVP's issue concerns its method of handling SIP traffic: a targeted appliance can be crashed by malformed SIP INVITE traffic. The issue affects Cisco Unified CVP running software releases prior to 11.6(1). ®

Sign up to our NewsletterGet IT in your inbox daily

Post a comment

More from The Register

Skype, Slack, other apps inherit Electron vuln

Updated Devs, check your protocol handling, patch if necessary

Skype for Biz users: Go watch nature vids. Microsoft wants you to get good at migration

New roadmap for Teams does everything but name Skype's death date

That terrifying 'unfixable' Microsoft Skype security flaw: THE TRUTH

Oh yeah, we patched that in October, Windows giant yawns

Make sure your Skype is up to date because FYI there's a nasty hole in it

Nothing to see here, says Microsoft, just more crappy code

Can't login to Skype? You're not alone. Chat app's been a bit crap for five days now

Something something two-factor authentication – Microsoft

Skype for Business has nasty habit of closing down… for business

It's not just you, VoIP app is prone to failures

Belgian court says Skype must provide interception facilities

Microsoft classified as a telco, so told to cough up. It may gaufre an appeal

Microsoft says Skype outages are over – a few hours too early

Global Skype outages spill over onto a second day

Dell EMC squashes pair of VMAX virtual appliance bugs

vApp Manager contained undocumented default account

Cortana, please finish my sentences in Skype texts for me

Redmond's AI assistant can now scan your messages and make your more eloquent