Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cisco Scrambles To Patch Second Shadow Brokers Bug In Firewalls (onthewire.io)

Posted by msmash on from the security-woes dept.

Trailrunner7 writes: Cisco is scrambling to patch another vulnerability in many of its products that was exposed as part of the Shadow Brokers dump last month. The latest vulnerability affects many different products, including all of the Cisco PIX firewalls. The latest weakness lies in the code that Cisco's IOS operating system uses to process IKEv1 packets. IKE is used in the IPSec protocol to help set up security associations, and Cisco uses it in a number of its products. The company said in an advisory that many versions of its IOS operating system are affected, including IOS XE and XR. Cisco does not have patches available for this vulnerability yet, and said there are no workarounds available to protect against attacks either. Many of the products affected by this flaw are older releases and are no longer supported, specifically the PIX firewalls, which haven't been supported since 2009.

5 of 30 comments (clear)

  1. Bad wording by campuscodi · · Score: 3, Insightful

    Scrambles is the incorrect term. The exploit has been around for about a month. You "scramble to fix" something in a few hours or days.... not a month after.

    1. Re:Bad wording by jellomizer · · Score: 4, Informative

      If you are a company the size of Cisco with so many customers a month is a good scramble. As there are many levels of checks that are needed to be done, before you release it. Because while the flaw is really bad, causing all the customers to have their firewall brick from a bad patch is worse.

      Most of us work on small scale programs, where a downtime or a major problem, isn't nearly a big deal. However with Cisco a problem in deploayment can bring down the entire economy.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  2. No support for Pix since 2009? by Anonymous Coward · · Score: 2, Funny

    Had a Pix. Can't say there was much support before 2009 either.

  3. Re:PIX EOL by LostMyBeaver · · Score: 2

    Or configure your IPSEC properly with IKEv2. The best fix is to EOL v1

  4. Re:yes, the level of testing / stability by Anonymous Coward · · Score: 2, Interesting

    You never worked with Cisco firmware. It is often very difficult to obtain both the features you require and the hardware without running into a gotcha re compatibility or bugs. No active maintenance contracts and its often easier and cheaper to replace the entire device. Sad but true !