Aussie researchers discover Cisco vulnerabilities

Powered by SC Magazine
 

Australian IT security consultancy Assurance.com.au claims it has taken Cisco almost three months to patch two vulnerabilities which affect the security of several of its products.

Australian IT security consultancy Assurance.com.au claims it has taken Cisco almost three months to patch two vulnerabilities which affect the security of several of its products.

Assurance director, Adam Pointon, says researchers from the company discovered the vulnerabilities when testing a Cisco Wireless LAN Solution Engine at a customer site on January 29.

He said the flaws were reported the problems at the time of discovery, yet Cisco had rectified them as at 1am this morning.

“It did take a while [for a fix],” Pointon said, conceding that Cisco did respond straight away to Assurance's alert to the company on January 29.

Of the two vulnerabilities, he said the most serious was the “show command line interface" vulnerability, which would allow a rogue administrator of a Cisco device to “break out” of Cisco’s restricted management interface and gain privileged access to the underlying Linux-based operating system.

“It’s possible for a rogue administrator to access the underlying operating system by typing one specifically crafted command into Cisco’s restricted, text-based management interface,” Pointon said.

Products affected include the Cisco Wireless Lan Solution Engine (WLSE), Cisco User Registration Tool (URT), CiscoWorks2000 Service Management Solution (SMS), Cisco Hosting Solution Engine (HSE), Ethernet Subscriber Solution Engine (ESSE), Cisco VLAN Policy Server (VPS) and Cisco Management Engine (ME1100 Series) and CiscoWorks Service Level Manager (SLM).

Cisco advised Assurance that the ESSE and SMS carrier-class products were “end of life” and would not be patched, Pointon said. Customers using these products would need to request a fix through customer support.

Neal Wise, another director at Assurance, added that companies needed to understand that devices installed on their networks could provide more than their designed functions if compromised by an attacker.

“If they are not correctly maintained they could become a serious liability to the enterprise,” he said. “They need to be kept as secure as any other network attached computer.”

Assurance also found problems in March last year in an anti-spam and firewall manufactured by Barracuda Networks, Pointon said. This fix took 29 days to be produced.

Cisco’s response to the finding is posted here:

http://www.cisco.com/warp/public/707/cisco-sr-20060419-priv.shtml#response.

Aussie researchers discover Cisco vulnerabilities
 
 
 
Top Stories
Earning the right to innovate
Breaking down the barriers to innovation is a long, but rewarding process, says Bank of Queensland Group CIO, Julie Bale.
 
A call for timely reporting
[Blog post] Businesses need incentives to keep customer data secure.
 
Doubts cast on Queensland's ICT Dashboard
Opposition, former Govt CIO say it can't be trusted.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
What is delaying adoption of public cloud in your organisation?







   |   View results
Lock-in concerns
  26%
 
Application integration concerns
  3%
 
Security and compliance concerns
  29%
 
Unreliable network infrastructure
  9%
 
Data sovereignty concerns
  23%
 
Lack of stakeholder support
  3%
 
Protecting on-premise IT jobs
  5%
 
Difficulty transitioning CapEx budget into OpEx
  3%
TOTAL VOTES: 828

Vote