Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cisco Patches 'Prime Home' Flaw That Allowed Hackers To Reach Into People's Homes (helpnetsecurity.com)

Posted by BeauHD on from the at-arm's-length dept.

Orome1 quotes a report from Help Net Security: Cisco has patched a critical authentication bypass vulnerability that could allow attackers to completely take over Cisco Prime Home installations, and through them mess with subscribers' home network and devices. The vulnerability (CVE-2017-3791), found internally by Cisco security testers, affects the platform's web-based GUI, and can be exploited by remote attackers to bypass authentication and execute any action in Cisco Prime Home with administrator privileges. No user interaction is needed for the exploit to work, and exploitation couldn't be simpler: an attacker just needs to send API commands via HTTP to a particular URL. The bug exists in versions 6.4 and later of Cisco Prime Home, but does not affect versions 5.2 and earlier. "Administrators can verify whether they are running an affected version by opening the Prime Home URL in their browser and checking the Version: line in the login window. If currently logged in, the version information can be viewed in the bottom left of the Prime Home GUI footer, next to the Cisco Prime Home text," Cisco instructed in the security advisory.

7 of 19 comments (clear)

  1. So much for Cisco being more secure... by bobbied · · Score: 1

    So are they are more secure than the next guy? Not really, they have bugs too (not to mention they designed a lot of the really scary protocols running around the net that sacrifice security all the time).

    I guess you can give them kudos for finding an issue then fixing it too... Just don't try to find the updated firmware for that old router you have w/o a service contract..

    --
    "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    1. Re:So much for Cisco being more secure... by rubycodez · · Score: 1

      Cisco is quite a bit less secure than many competing companies, they have just been riding the name recognition for years.

    2. Re:So much for Cisco being more secure... by TheGratefulNet · · Score: 1

      I worked at cisco back in the early 90's when it was 3 buildings in menlo park. I later returned about 2 yrs ago for a short contract job.

      the company change was night and day, of course (they now have over 25 buildings in san jose, alone). what I noticed is that they no longer have the 'best and brightest' but they are an h1b farm, pretty much.

      do you want crappy code and bugs? cause this is how you get crappy code and bugs....

      cisco is a has-been, for the most part. some smart people are still there, but mostly its a 9-5 job with average people doing the needful, then going home. no one really cares, from what I could see when I was there last. and if you dare DO care, they cancel you or fire you.

      I would never recommend people buy cisco anymore unless its the only product that will do what you want; and other than core routers, I'm not sure they have any products that are 'must have's.

      --

      --
      "It is now safe to switch off your computer."
    3. Re:So much for Cisco being more secure... by rubycodez · · Score: 1

      other companies make core routers, I'd strongly recommend looking at Juniper or see if Nokia, Ericsson, Extreme Networks, Huawei, ZTE products can fit your need

  2. Prime Home by turkeydance · · Score: 1

    best new Comedy show on NBC!

  3. Based on hundreds of thousands of vulns, yes by raymorris · · Score: 1

    > So are they are more secure than the next guy?

    I manage a vulnerable assessment system. We have hundreds of thousands of distinct vulnerabilities in our database, which we look for on the hundreds of thousands of devices we scan every week. I've been working full time in network security for 18 years. Based on the data I have, yes Cisco is *more secure* than most. Especially if the administrator pays attention to security - Cisco provides many, many ways to make your network more secure.

    >> Not really, they have bugs too

    Anything that has code has bugs. Even most things that DON'T have code have bugs - the average home has more than 100 different kinds of bugs living in it.

    It seems perhaps you have some kind of hard-on for criticizing Cisco. That's cool. If you care at all about intellectual honesty, you can point out that Cisco tends to be quite expensive. You could point out that they don't have perfect security. They do definitely do well above average, however, in my experience testing the security of corporate networks.

  4. I propose a new acronym by Opportunist · · Score: 2

    Intelligent Devices for the Internet Of Things, or in short IDIOT

    Also applicable to anyone buying something from that product group.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.