Aussie researchers discover Cisco vulnerabilities

Powered by SC Magazine
 

Australian IT security consultancy Assurance.com.au claims it has taken Cisco almost three months to patch two vulnerabilities which affect the security of several of its products.

Australian IT security consultancy Assurance.com.au claims it has taken Cisco almost three months to patch two vulnerabilities which affect the security of several of its products.

Assurance director, Adam Pointon, says researchers from the company discovered the vulnerabilities when testing a Cisco Wireless LAN Solution Engine at a customer site on January 29.

He said the flaws were reported the problems at the time of discovery, yet Cisco had rectified them as at 1am this morning.

“It did take a while [for a fix],” Pointon said, conceding that Cisco did respond straight away to Assurance's alert to the company on January 29.

Of the two vulnerabilities, he said the most serious was the “show command line interface" vulnerability, which would allow a rogue administrator of a Cisco device to “break out” of Cisco’s restricted management interface and gain privileged access to the underlying Linux-based operating system.

“It’s possible for a rogue administrator to access the underlying operating system by typing one specifically crafted command into Cisco’s restricted, text-based management interface,” Pointon said.

Products affected include the Cisco Wireless Lan Solution Engine (WLSE), Cisco User Registration Tool (URT), CiscoWorks2000 Service Management Solution (SMS), Cisco Hosting Solution Engine (HSE), Ethernet Subscriber Solution Engine (ESSE), Cisco VLAN Policy Server (VPS) and Cisco Management Engine (ME1100 Series) and CiscoWorks Service Level Manager (SLM).

Cisco advised Assurance that the ESSE and SMS carrier-class products were “end of life” and would not be patched, Pointon said. Customers using these products would need to request a fix through customer support.

Neal Wise, another director at Assurance, added that companies needed to understand that devices installed on their networks could provide more than their designed functions if compromised by an attacker.

“If they are not correctly maintained they could become a serious liability to the enterprise,” he said. “They need to be kept as secure as any other network attached computer.”

Assurance also found problems in March last year in an anti-spam and firewall manufactured by Barracuda Networks, Pointon said. This fix took 29 days to be produced.

Cisco’s response to the finding is posted here:

http://www.cisco.com/warp/public/707/cisco-sr-20060419-priv.shtml#response.

Aussie researchers discover Cisco vulnerabilities
 
 
 
Top Stories
Soft drinks and SoftLayer: A solution for hard times?
Coca-Cola Amatil's CIO Barry Simpson shares his story of cost-cutting, outsourcing and why his software developers to ride around in delivery trucks.
 
Optus considers breaking net neutrality in Australia
May charge Netflix, OTT providers for premium service.
 
AGL restructure sees CIO depart
Owen Coppage to leave after ten years.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Do you support the Government's data retention scheme?

   |   View results
Yes
  11%
 
No
  89%
TOTAL VOTES: 2398

Vote