bunch of new Cisco advisories this morning, since yesterday 18 total 16 new. so get cracking...
9 of the new ones rated high
Asking only half-jokingly... is the best remediation to switch vendors?
The problem is that you don't know what everyone else is either not disclosing, or not realising they are vulnerable to.
Still, its not a great look. I thank the stars I'm not in an operational role anymore.... after awhile though its just a blur (vulnerability after vulnerability) and heaps of places don't bother patching anything not directly internet facing unless they are actively impacted by a bug / need a new feature.
Lets face it, even with a 6 month patch cycle you're still behind the curve, heck 3 month. Unfortunately network gear are all pets not cattle, you can't just bounce them all the time and only the big iron has SSO/NSF.
Not to mention with the quality of the code we've been getting over the last 4-5 years.... what a crapshoot, especially in certain product lines *cough wireless cough*
Wow, Wintermute, that cough sounded like words...
But, yes, shops can install code like DevOps over and over and over again... UNTIL... there's a big outage. Then, test that patch in dev and integration environments for a month before even *thinking* of getting a change request submitted...
And, meanwhile, the security press screams about how devices go unpatched.
work keeps threatening to put the results of the nessus scan onto a dashboard for "higher ups" to see. I keep tracking vulnerabilities, and shipping them off to the security folks. Users don't like when their stuff breaks due to a device reload. so stuff keeps getting pushed and pushed and my list gets longer and longer.
"I just reduced our Internet vulnerability by 25%."
"Awesome, what did you do?"
"Unplugged the Internet connection for 6 hours a day."
it was just the bi-annual Cisco announcement, NBD. I though that came out last week. I thought it was the 3rd Wednesday of September.
Quote from: wintermute000 on September 29, 2016, 07:33:57 AM
The problem is that you don't know what everyone else is either not disclosing, or not realising they are vulnerable to.
Still, its not a great look. I thank the stars I'm not in an operational role anymore.... after awhile though its just a blur (vulnerability after vulnerability) and heaps of places don't bother patching anything not directly internet facing unless they are actively impacted by a bug / need a new feature.
Lets face it, even with a 6 month patch cycle you're still behind the curve, heck 3 month. Unfortunately network gear are all pets not cattle, you can't just bounce them all the time and only the big iron has SSO/NSF.
Not to mention with the quality of the code we've been getting over the last 4-5 years.... what a crapshoot, especially in certain product lines *cough wireless cough*
:banana: :banana: :banana: :banana: :banana: :banana: :banana: :banana: :banana: :banana: :banana: :banana: :banana:
The high categorization is also kind of misleading. Most if not all the the new announcements were for "crafted packet causes DoS" but the details about that crafted packet are not available, and have not been seen in the wild by Cisco. So it would require a high level of skill to figure out how to craft the packet to exploit the issue, and all you get for your hard work is a reboot of the box. As an attacker I could just pay the guys that took down Krebs site to attack you. Much easier that way, and I can then go golfing.
-Otanx
Quote from: Otanx on September 29, 2016, 03:18:14 PM
The high categorization is also kind of misleading. Most if not all the the new announcements were for "crafted packet causes DoS" but the details about that crafted packet are not available, and have not been seen in the wild by Cisco. So it would require a high level of skill to figure out how to craft the packet to exploit the issue, and all you get for your hard work is a reboot of the box. As an attacker I could just pay the guys that took down Krebs site to attack you. Much easier that way, and I can then go golfing.
-Otanx
There was that ASA SNMP vulnerability a little while ago. My colleage was kicking up a fuss to me about it whilst making comments like "omg!" and "oh crap!" as he was reading. But the vulnerability would ONLY come into play if the ASA was configured to allow SNMP from the source host IP or subnet. So if you only allow SNMP for specific host(s) then you're not affected (unless that host is compromised and an attack comes from that host).
Although may be the high criticality on that one was to cover anyone using SNMP across the internet? Cough SNMPv3 cough...
Think I caught something from wintermute.
You're forgetting crafted/spoofed attack vector
yea good point. Would snmpv3 encrypt the data so you couldn't tell it was snmp traffic? You would have to change the listen snmp port as well so it was just "some kind of udp" traffic in case it's sniffed.
SNMPv3 encrypts the data, but the problem with the SNMP vulnerability is that because it is UDP I can just spoof an IP that is on the ACL. There are still other mitigations like uRPF, but it isn't fool proof. If that is the SNMP vulnerability I think you are talking about then the other bad thing was exploit code was released so it is now much easier to do.
-Otanx
like 17 more new ones just announced yesterday :barf:
The whole world needs to take an outage on 1 December and just upgrade EVERYTHING. EVERYTHING. All the patches, no excuses. Just do it.
7 more new advisories yesterday.
Quote from: deanwebb on November 03, 2016, 08:06:54 AM
Quote from: ristau5741 on November 03, 2016, 05:59:18 AM
7 more new advisories yesterday.
Any of them good?
none of them are good.
the Cisco Prime Home one was pretty funny.
"A vulnerability in the web-based graphical user interface (GUI) of Cisco Prime Home could allow an unauthenticated, remote attacker to bypass authentication. The attacker could be granted full administrator privileges."
Quote from: ristau5741 on November 04, 2016, 11:11:43 AM
"A vulnerability in the web-based graphical user interface (GUI) of Cisco Prime Home could allow an unauthenticated, remote attacker to bypass authentication. The attacker could be granted full administrator privileges."
:haha2:
Quote from: deanwebb on November 04, 2016, 11:23:23 AM
Quote from: ristau5741 on November 04, 2016, 11:11:43 AM
"A vulnerability in the web-based graphical user interface (GUI) of Cisco Prime Home could allow an unauthenticated, remote attacker to bypass authentication. The attacker could be granted full administrator privileges."
:haha2:
Heh... was just talking about Prime yesterday at a sales meeting. A Channel guy external to the company suggested we find a way to integrate with Prime since a lot of incumbent Cisco shops use it and it's a typical objection they get... I looked at him in disgust. :P
Make a product that does what Prime does, but better, and the world will beat a pathway to your door.
Arista already does for the data center. That's their focus area.
32 announcements today 3 of which are updated, 29 are neww. :barf:
Quote from: ristau5741 on December 08, 2016, 05:53:42 AM
32 announcements today 3 of which are updated, 29 are neww. :barf:
How many score a 10 on the CVSS scale?
Quote from: deanwebb on December 08, 2016, 07:39:26 AM
Quote from: ristau5741 on December 08, 2016, 05:53:42 AM
32 announcements today 3 of which are updated, 29 are neww. :barf:
How many score a 10 on the CVSS scale?
none but that is not the point.
It is the point if you're in management. Not a 10 == we can postpone the patch until our annual patch-a-thon because anything less than a 10 is fine, right?
19 fresh ones, if you run UCS yer in a world of hurt, also prime ISE, ACS all affected by various issues.
ISE one doesn't look too bad, just a sponsor portal gaffe.
Looks like a big chunk of the advisories deal with XSS issues, I'm guessing it's a block of code common to all those platforms.
Another 18 released yesterday, 7 high
Lots involving DNS and our old friend cross-site scripting.
My apologies if you run Prime, WaaS, or ISE!
23 new vulnerabilities announced yesterday.
Are these all the same vulnerability on each platform, or are we dealing with more diversity in how things go boom on Cisco this week?
Quote from: deanwebb on June 22, 2017, 10:15:49 AM
Are these all the same vulnerability on each platform, or are we dealing with more diversity in how things go boom on Cisco this week?
based on CVE's different platforms covered under each advisory.
Reading the list, looks like a bunch of XSS vulnerabilities.
AGAIN.
:facepalm2:
'nother big announcement yesterday 3 crit, 4 high, rest medium
yer kinda screwed if you are running Cisco Ultra Services Framework (for mobile network operators)
What gets me about Cisco is that so very many of their vulnerabilities are from a lack of code hardening on features that they don't use anyway or that have been known issues for ages (like XSS) and they simply didn't bother until recently to patch this thing or that.
Quote from: deanwebb on July 06, 2017, 10:56:01 AM
What gets me about Cisco is that so very many of their vulnerabilities are from a lack of code hardening on features that they don't use anyway or that have been known issues for ages (like XSS) and they simply didn't bother until recently to patch this thing or that.
back in the old days, it wasn't a vulnerability if no one knew about it. keep it on the hush hush and you are free and clear. These days with so many researchers, companies disclosing vulnerabilities, and rewarding people who do find them, companies are walking a thin line, especially public ones that have to answer to stock holders.
where you guys get these advisories?
Quote from: LynK on July 10, 2017, 01:57:24 PM
where you guys get these advisories?
https://tools.cisco.com/security/center/publicationListing.x is a good place to start. It's nice and filterable, in a Cisco-y kind of way.
Quote from: deanwebb on July 10, 2017, 02:33:52 PM
Quote from: LynK on July 10, 2017, 01:57:24 PM
where you guys get these advisories?
https://tools.cisco.com/security/center/publicationListing.x is a good place to start. It's nice and filterable, in a Cisco-y kind of way.
There is also an RSS feed here, if you are to lazy to click on a bookmark.
https://tools.cisco.com/security/center/psirtrss20/CiscoSecurityAdvisory.xml
or get them as an email
http://www.cisco.com/cisco/support/notifications.html
-Otanx
Gives me an idea... I can add vendor feeds to the forums here...
Sound like a good idea?
Quote from: deanwebb on July 11, 2017, 08:42:44 AM
Gives me an idea... I can add vendor feeds to the forums here...
Sound like a good idea?
only if they pay
15 more announced yesterday, nothing critical.
So that means they've found them all now right? :mrgreen:
Software deployment strategy: get it out to market as fast as you can. QA it later.
If you guys have Cisco spark, I can configure an RSS feed to post updates to a space and we all get it. Emails are so last year :)
That would be good to try out... I try to set up RSS feeds from Cisco, but they either don't work or have a max. 30 days of operation before they have to be renewed.
19 more added yesterday, sucks if you run APIC
Since $VENDOR is a competitor of Cisco's, I'll refrain from vendor-bashing.
With that being said, there is a real issue with Cisco's continued reliance on old code, and it crops up in these security updates of theirs, every time. For the most part, it's not in the IOS itself, but in the web front-end that the gotchas exist.
Must be September again, But I don't think these 21 announcements yesterday are part of that bi-annual security release.
which I'm still looking forward to.
sucks if you run APIC, again....
I'll say one good thing about Cisco: at least they're not Oracle.
:developers:
15 more yesterday, tough day if you are in the security or remote access biz.
Quote from: ristau5741 on October 05, 2017, 06:47:36 AM
15 more yesterday, tough day if you are in the security or remote access biz.
I saw those. Most were dealing with GUIs, if I scanned them correctly.
16 new vuln announced yesterday. 1 crit. 3 high, 12 medium,
AAA vulnerability affects NX-OS and FX-OS and some of the UCS
some other not relevant to my environment, SIP and cloud platforms tagged as high.