Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances.
The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.
This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come.
To exploit the vulnerability, an attacker needs valid operator-level or higher access to the appliance. Once authenticated, the miscreant can steal sensitive information, such as user credentials, from a Lightweight Directory Access Protocol (LDAP) external authentication server connected to the device due to a blunder in the query process.
We can imagine a rogue insider or someone who has compromised an operator account exploiting this flaw to further penetrate a network.
"This vulnerability is due to a lack of proper input sanitization while querying the external authentication server," reads the security advisory, which was issued last week and updated yesterday with more details on available software fixes.
Cisco deemed the three other vulnerabilities medium severity, though their CVSS scores range from 9.1 to 5.4. We're told miscreants haven't (yet) exploited any of these bugs either.
The 9.1-severity vuln, tracked today as CVE-2022-20829, is in the packaging of Cisco Adaptive Security Device Manager (ASDM) software images and the validation of those images by Cisco Adaptive Security Appliance (ASA) software.
Cisco only rates the bug as medium severity, despite the high CVSS score, because an attacker needs administrative privileges to exploit this bug. By uploading a specially crafted image containing malicious code to a device running Cisco's ASA software, and waiting for a targeted user to access that device via ASDM, the rogue administrator can execute the malicious code on the user's machine.
It's a fairly complicated vulnerability to exploiut with a limited set of targets, which is good considering it's only partially patched. Updating both the ASA software and the ASDM is required to fully fix this vulnerability. The vendor issued patches for all affected ASDM versions. However, Cisco only has software updates for ASA software releases 9.17 and earlier. Fixes for 9.18 won't be available until August, and there are no workarounds.
"This vulnerability is due to insufficient validation of the authenticity of an ASDM image during its installation on a device that is running Cisco ASA Software," the vendor noted.
Also today, Cisco warned customers about a 6.5-severity flaw in the CLI parser of the Cisco FirePOWER Software for Adaptive Security Appliance FirePOWER module tracked as CVE-2022-20828.
"This vulnerability could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected ASA FirePOWER module as the root user," according to the security advisory.
An attacker must have administrative access to the ASA and the ASA FirePOWER module to exploit the bug. But assuming that's the case, a miscreant could exploit it using a crafted CLI command or HTTPS request. Still, "the attack vector through an HTTPS request is open only if HTTPS management access is enabled on the Cisco ASA that is hosting the ASA FirePOWER module," the vendor noted.
Cisco FirePOWER Software for ASA FirePOWER module releases 6.2.2 and earlier, plus releases 6.3.0 and 6.5.0, have reached end of life, and won't be updated, so the vendor said customers should migrate to a release that includes a fix for this vulnerability.
However, one of the software updates won't be available until July and a second until December.
Finally, CVE-2022-20802, a flaw in the web interface of Cisco Enterprise Chat and Email that could lead to a cross-site scripting attack against a user of the interface, received the lowest severity score of 5.4.
An attacker would need valid agent credentials to exploit this vulnerability, and could do so by sending a crafted HTTP request to the affected system. "A successful exploit could allow the attacker to execute arbitrary code in the context of the interface or access sensitive, browser-based information," Cisco warned.
Cisco said it will fix versions 12.6(1) ES2 and earlier in a future software release, but didn't provide a timeline for when that will happen. ®
If you thought you were over the hump with Patch Tuesday then perhaps think again: Cisco has just released fixes for a bunch of flaws, two of which are not great.
First on the priority list should be a critical vulnerability in its enterprise security appliances, and the second concerns another critical bug in some of its outdated small business routers that it's not going to fix. In other words, junk your kit or somehow mitigate the risk.
Both of these received a CVSS score of 9.8 out of 10 in severity. The IT giant urged customers to patch affected security appliances ASAP if possible, and upgrade to newer hardware if you're still using an end-of-life, buggy router. We note that miscreants aren't actively exploiting either of these vulnerabilities — yet.
Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.
In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January.
And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse.
Cisco Live In his first in-person Cisco Live keynote in two years, CEO Chuck Robbins didn't make any lofty claims about how AI is taking over the network or how the company's latest products would turn networking on its head. Instead, the presentation was all about working with customers to make their lives easier.
"We need to simplify the things that we do with you. If I think back to eight or ten years ago, I think we've made progress, but we still have more to do," he said, promising to address customers' biggest complaints with the networking giant's various platforms.
"Everything we find that is inhibiting your experience from being the best that it can be, we're going to tackle," he declared, appealing to customers to share their pain points at the show.
Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers.
Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries.
The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.
RSA Conference Exclusive Establishing some level of cybersecurity measures across all organizations will soon reach human-rights issue status, according to Jeetu Patel, Cisco EVP for security and collaboration.
"It's our civic duty to ensure that everyone below the security poverty line has a level of safety, because it's gonna eventually get to be a human-rights issue," Patel told The Register, in an exclusive interview ahead of his RSA Conference keynote.
"This is critical infrastructure — financial services, health care, transportation — services like your water supply, your power grid, all of those things can stop in an instant if there's a breach," he said.
UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.
Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.
In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].
Patch Tuesday Microsoft claims to have finally fixed the Follina zero-day flaw in Windows as part of its June Patch Tuesday batch, which included security updates to address 55 vulnerabilities.
Follina, eventually acknowledged by Redmond in a security advisory last month, is the most significant of the bunch as it has already been exploited in the wild.
Criminals and snoops can abuse the remote code execution (RCE) bug, tracked as CVE-2022-30190, by crafting a file, such as a Word document, so that when opened it calls out to the Microsoft Windows Support Diagnostic Tool, which is then exploited to run malicious code, such spyware and ransomware. Disabling macros in, say, Word won't stop this from happening.
A security flaw in Apple's Safari web browser that was patched nine years ago was exploited in the wild again some months ago – a perfect example of a "zombie" vulnerability.
That's a bug that's been patched, but for whatever reason can be abused all over again on up-to-date systems and devices – or a bug closely related to a patched one.
In a write-up this month, Maddie Stone, a top researcher on Google's Project Zero team, shared details of a Safari vulnerability that folks realized in January this year was being exploited in the wild. This remote-code-execution flaw could be abused by a specially crafted website, for example, to run spyware on someone's device when viewed in their browser.
Cisco's Nexus Cloud will eventually allow customers to manage their datacenter networks entirely from the cloud, says the networking giant.
The company unveiled the latest addition to its datacenter-focused Nexus portfolio at Cisco Live this week, where the product set got a software-as-a-service (SaaS) revamp.
"It's targeted at network operations teams that need to manage, or want to manage, their Nexus infrastructure as well as their public-cloud network infrastructure in one spot," Cisco's Thomas Scheibe – VP product management, cloud networking for Nexus & ACI product lines – told The Register.
RSA Conference Your humble vulture never liked conference expos – even before finding myself on the show floor during a global pandemic. Expo halls are a necessary evil that are predominatly visited to find gifts to bring home to the kids.
Do organizations really choose security vendors based on a booth? The whole expo hall idea seems like an outdated business model – for the vendors, anyway. Although the same argument could be made for conferences in general.
For the most part, all of the executives and security researchers set up shop offsite – either in swanky hotels and shared office space (for the big-wigs) or at charming outdoor chess tables in Yerba Buena Gardens. Many of them said they avoided the expo altogether.
The Register - Independent news and views for the tech community. Part of Situation Publishing
Biting the hand that feeds IT © 1998–2022