Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cisco Patches Authentication, Denial-of-Service, NTP Flaws In Many Products (csoonline.com)

Posted by timothy on from the work-never-ends dept.

itwbennett writes: Cisco Systems has released a new batch of security patches for flaws affecting a wide range of products, including for a critical vulnerability in its RV220W wireless network security firewalls. The RV220W vulnerability stems from insufficient input validation of HTTP requests sent to the firewall's Web-based management interface. This could allow remote unauthenticated attackers to send HTTP requests with SQL code in their headers that would bypass the authentication on the targeted devices and give attackers administrative privileges.

33 comments

  1. HTTP requests with SQL code by ls671 · · Score: 2

    HTTP requests with SQL code: about using prepared statements and parameterized queries?

    --
    Everything I write is lies, read between the lines.
  2. Input validation does not cause SQLi by WaffleMonster · · Score: 3, Insightful

    The only cause of SQLi is gross incompetence. It can never be caused by an accident or failure to do something.

    It can only caused by willful and deliberate action to do something you know or should know to be wrong, stupid and dangerous at the time you did it. Unbound query strings don't build themselves.

    1. Re:Input validation does not cause SQLi by Anonymous Coward · · Score: 0

      "When under fire in trenches, it gives us great comfort to know that our weapons and other equipment has been ordered from the lowest bidder."

    2. Re:Input validation does not cause SQLi by Anonymous Coward · · Score: 1

      > The only cause of SQLi is gross incompetence.

      How true.

      What perhaps horrifies me more is that the phantasy in our profession can't come up with a decent GUI other than with this browser + web server + sql data base monstrosity; most probably a PHP abomination and a MySQL database (not that a node or django -- and a couch or mongo would make that better) *plus* a big fat chunk of javascript with an embedded, mutilated mutant of jquery or similar.

      I'm deeply ashamed of the trade I'm in.

    3. Re:Input validation does not cause SQLi by Anonymous Coward · · Score: 1

      Another 'Big Name' exposed as lacking quality , too little, too late.
      Apple is a 'premium' company, while the 'premium' on this brands reputation has been outed.
      May as well by cheap Chinese crap because it does the same thing, and probably no worse.
      Throw in a few back doors, compromised keys - no corporate automatic sales for you.

      Cisco and Blackberry - what will they have in common going forward?

  3. stupid timothy by Anonymous Coward · · Score: 0

    Nobody cares mr. mod.... stop promoting crap on the frontpage... especially cso stuff

  4. Hey timothy by DNS-and-BIND · · Score: 2

    Why are you the only one posting stories recently? The other two crappy editors who posted dupes haven't been heard from in a while.

    Hey timothy, I dare you, post another link to forbes.com.

    --
    Shutting down free speech with violence isn't fighting fascism. It IS fascism!
    1. Re:Hey timothy by Anonymous Coward · · Score: 0

      They were promptly fired as one of the first things Whipslash did after taking the helm. Farewell Samzenpus and soulskill, you will be missed.

    2. Re: Hey timothy by Anonymous Coward · · Score: 1

      No they won't.

    3. Re: Hey timothy by 93+Escort+Wagon · · Score: 0

      Come on. Show some compassion. People losing their jobs is not something to be so cavalier about, regardless of your opinions of them.

      They're still human beings with bills to pay and likely families to support.

      --
      #DeleteChrome
    4. Re: Hey timothy by Anonymous Coward · · Score: 0

      They've been part of /. for probably as long as it's been around so like 15+ years. Here we are commenting away and listening to Whipslash tell us how much we wanted to be un-Dicely while behind the scenes he goes and shows the long time editors the door. Dice did some dumb things but AFAIK they kept the editors around. I have no idea if it was necessary but I can tell you thats a drastic change right off the bat. Slashdotters loved to hate Dice but no guarantees on Mr. Whipslash the editor shitcanner will be any improvement.

    5. Re: Hey timothy by drinkypoo · · Score: 1, Insightful

      Come on. Show some compassion. People losing their jobs is not something to be so cavalier about, regardless of your opinions of them.

      Yes, yes it is, because they were shit at their fucking jobs. In a world in which there are so many people homeless, jobless, hopeless, it's fucking pathetic to see people phone in their job like they can't be arsed to give one tenth of one fuck. That's especially true in tech, where more and more workers are losing their jobs even when they do them.

      If they were good at their jobs, or even made more than a token effort, then we would miss them. They were shit, and they shit up Slashdot, and if you miss them, you're part of the fucking problem because you've been giving them a free pass for their shit work. Why would I miss an employee with no work ethic?

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    6. Re: Hey timothy by Anonymous Coward · · Score: 0

      Do you have any clue how many underemployed, Starbucks-smelling English majors would have given up a testicle to have the opportunity to write a decent, grammatically-correct, comprehensible summary instead of the half-baked clickbait that Dice's editors were hashing out? Human beings will bills to pay should at least make an effort to pretend to work for their salaries: the Dice editors sure as hell didn't.

  5. I still wonder by jones_supa · · Score: 2

    A great part of the Internet is woven together by those turquoise boxes. They form a vulnerable part of the infrastructure. I find it strange that open source tinfoil hatters have not criticized more the fact that all of that gear runs proprietary code. All of the boxes could have a backdoor that allows a government surveillance organization to connect and change settings or to wiretap passing traffic. Why do not these discussions usually come up?

    1. Re:I still wonder by Anonymous Coward · · Score: 0

      Are you kidding?

    2. Re:I still wonder by jones_supa · · Score: 1

      That's what I want to say to the people taking about UEFI backdoors.

    3. Re:I still wonder by Anonymous Coward · · Score: 0

      A great part of the Internet is woven together by those turquoise boxes

      1. No.
      2. Carrier grade routers and switches aren't administered via HTTP.
      3. Carrier grade networks don't allow access from the general internet to the management interfaces either.

      All of the boxes could have a backdoor that allows a government surveillance organization to connect and change settings or to wiretap passing traffic.

      Have you ever tried using a span port on a Cisco CRS router loaded with hundred gig linecards? Do you have ANY idea what kind of load that puts on a system?
      Obviously not. You try dropping a config change in one of our routers or switches to do anything like what you're saying, and it's going to be immediately obvious as the gear drops its shit all over the floor.
      When you want to tap data at the Carrier level, you don't use a router or switch. You install an inline appliance between two pieces of network gear which is capable of actually mirroring that volume of traffic at line-rates.

      Why do not these discussions usually come up?

      Because it's an issue which is of concern for Enterprise and small business. You don't have these same types of concerns at the Carrier level for a variety of reasons, the largest of which is that it becomes incredibly, immediately obvious if someone is fucking around with the network in a bad way.

    4. Re:I still wonder by valnar · · Score: 1

      If the Internet is woven together by the Small Business Line of Cisco, we're in trouble.

  6. Cisco patches RV220W firewall .. by tetraverse · · Score: 1

    If Cisco can't get it right then what hope does the rest of us have. But then again using a html protocol to remotely control a security device isn't the best of ideas.

    1. Re:Cisco patches RV220W firewall .. by AchilleTalon · · Score: 2

      HTML isn't a protocol. HTTP and HTTPS are.

      --
      Achille Talon
      Hop!
    2. Re:Cisco patches RV220W firewall .. by Anonymous Coward · · Score: 0

      You have it backwards, big companies like Cisco are terrible environments for producing good code. Assuming this thing was even developed in-house and not outsourced to a basement in China where "embedded programming" means mashing a random assortment of open source poo together and shoving it out the door as soon as it works.

  7. RV220W... by l0n3s0m3phr34k · · Score: 1

    Was never supposed to be an "enterprise" piece of equipment anyway. It's part of their Small Business line, which used to be called Linksys. Thus why it has an HTML-based gui, craptastic security, etc. If you want decent hardware with the Cisco name, prepare to spend around $1,000 for an ASA 5500 series, and then another $500+ for an Aironet to get the wireless. You get what you pay for, and Cisco has never been cheap. If the product is cheap, then expect issues like there. I finally gave up on my RW180 because it just wouldn't keep the PAT going after a few hours. Even when their tech remoted in and checked that it was all set up properly, it still died after less than a day and required a reboot to get it to work again. So far, the $25 small form factor Dell with PfSense is running far better and has had zero issues.

    1. Re:RV220W... by drinkypoo · · Score: 1

      If you want decent hardware with the Cisco name, prepare to spend around $1,000 for an ASA 5500 series, and then another $500+ for an Aironet to get the wireless.

      And then you can still expect amateur hour security mistakes, and intentional back doors, because we're talking about Cisco, and that's how they roll. There have been multiple serious holes in IOS.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    2. Re:RV220W... by l0n3s0m3phr34k · · Score: 1

      Indeed! In fact, we used a documented exploit to reboot a bad 6000 series switch at work. White-hat hacking at it's finest LOL

  8. Links are reversed by phishybongwaters · · Score: 2

    If anyone else ends up clicking the "security updates" link in the summary and starts to wonder why they are only talking about the RV220W, it's because the submitted reversed the links, you need to click the Cisco RV220W link to get the article with ALL the products.

  9. HTTP Web Interface? by Anonymous Coward · · Score: 0

    WTF were they thinking using http for the web interface? HTTPS should have been the minimum and anything coming from the wrong side should simply be dropped and if more then a single attempt (Ping) the IP blocked for 10-15 mins.

    Captcha: Breach

  10. What's your problem? by Anonymous Coward · · Score: 0

    See subject: Leave them alone - have YOU done a better job? As to myself vs. your obvious "weapon-of-choice"?? See below...

    * :)

    (Everyone's a critic - VERY FEW are the chefs, a much harder job...)

    APK

    P.S.=> On that last note? I can be a 'critic' too, but I'll have ways to back it up vs. your bs:

    I see your "phantasy-land" online delusional FAKE name registered 'luser' name here is "DNS-and-BIND" - well, that about answers my question in my subject line above for me - In fact, I HAD TO FIX YOUR FUCKUPS IN DNS via APK Hosts File Engine 9.0++ SR-4 32/64-bit http://www.start64.com/index.p... (and many other problems in security, speed, reliability + anonymity for end users also) by AVOIDING THAT SECURITY-HOLE RIDDEN insecure hunk of junk (of which 99.999% of ISP DNS servers are NOT patched vs. in the Kaminsky redirect poisoning flaw) that is complexity room for exploit & breakdown (which dns does go down a LOT) resolving FASTER locally while hosts are cached in RAM w/ users' favorite sites @ the TOP of hosts there which also offloads your dns servers too (by lessening their loads, which dns admins ought to love too)... apk

    1. Re:What's your problem? by Anonymous Coward · · Score: 0

      See subject: Leave them alone

      Actually the subject you used is "What's your problem?"

      Does anyone else find it rather amusing that instead of posting the IP for his website, APK always uses a DNS entry? I seem to recently have read a post here about some of the dangers of using DNS servers....

    2. Re:What's your problem? by Anonymous Coward · · Score: 0

      Again - what's your problem? It's normal to use that in links. You evade a question. You done better yourself Mr. critic (which anyone can be)? Prove it.

  11. It's their "small business" line of product by zerofoo · · Score: 1

    This stuff is the crap leftover from the Linksys acquisition. I would be willing to bet none of their SMB products share much code with their big business stuff (ASA, Catalyst, and their real routers based on IOS).

    If you've ever called tech support for their "pro" stuff - you get some pretty awesome people usually based in the US. Last time I called their SMB support teams I got a guy in Bulgaria (in his defense he did quickly recognize that my defective hardware needed to be replaced).

    This type of flaw is probably not a systemic problem with Cisco's other products.

  12. It's 1 of my hardcoded favorites in hosts by Anonymous Coward · · Score: 0

    See subject: I go there faster + no risk vs. DNS Kaminsky flaw redirect poisoning (99.999% ISP DNS != patched vs. it) avoiding DNS totally vs. that risk + DNS going down (does a lot) & tracking my dns requests too!

    * You fail...

    APK

    P.S.=> Face facts: You WISH you were me... apk