Aussie researchers discover Cisco vulnerabilities

Powered by SC Magazine

Australian IT security consultancy claims it has taken Cisco almost three months to patch two vulnerabilities which affect the security of several of its products.

Australian IT security consultancy claims it has taken Cisco almost three months to patch two vulnerabilities which affect the security of several of its products.

Assurance director, Adam Pointon, says researchers from the company discovered the vulnerabilities when testing a Cisco Wireless LAN Solution Engine at a customer site on January 29.

He said the flaws were reported the problems at the time of discovery, yet Cisco had rectified them as at 1am this morning.

“It did take a while [for a fix],” Pointon said, conceding that Cisco did respond straight away to Assurance's alert to the company on January 29.

Of the two vulnerabilities, he said the most serious was the “show command line interface" vulnerability, which would allow a rogue administrator of a Cisco device to “break out” of Cisco’s restricted management interface and gain privileged access to the underlying Linux-based operating system.

“It’s possible for a rogue administrator to access the underlying operating system by typing one specifically crafted command into Cisco’s restricted, text-based management interface,” Pointon said.

Products affected include the Cisco Wireless Lan Solution Engine (WLSE), Cisco User Registration Tool (URT), CiscoWorks2000 Service Management Solution (SMS), Cisco Hosting Solution Engine (HSE), Ethernet Subscriber Solution Engine (ESSE), Cisco VLAN Policy Server (VPS) and Cisco Management Engine (ME1100 Series) and CiscoWorks Service Level Manager (SLM).

Cisco advised Assurance that the ESSE and SMS carrier-class products were “end of life” and would not be patched, Pointon said. Customers using these products would need to request a fix through customer support.

Neal Wise, another director at Assurance, added that companies needed to understand that devices installed on their networks could provide more than their designed functions if compromised by an attacker.

“If they are not correctly maintained they could become a serious liability to the enterprise,” he said. “They need to be kept as secure as any other network attached computer.”

Assurance also found problems in March last year in an anti-spam and firewall manufactured by Barracuda Networks, Pointon said. This fix took 29 days to be produced.

Cisco’s response to the finding is posted here:

Aussie researchers discover Cisco vulnerabilities
Top Stories
The True Cost of BYOD - 2014 survey
Twelve months on from our first study, is BYOD a better proposition?
Photos: Unboxing the Magnus supercomputer
Pawsey's biggest beast slots into place.
ANZ looks to life beyond the transaction
If digital disruptors think an online payments startup could rock the big four, they’ve missed the point of why people use banks, says Patrick Maes.
Sign up to receive iTnews email bulletins
Latest Comments
What is delaying adoption of public cloud in your organisation?

   |   View results
Lock-in concerns
Application integration concerns
Security and compliance concerns
Unreliable network infrastructure
Data sovereignty concerns
Lack of stakeholder support
Protecting on-premise IT jobs
Difficulty transitioning CapEx budget into OpEx