Stories
Slash Boxes
Comments

Dev.SN ♥ developers

Submission Preview

Testing LifeS_Certainties_Death_Taxes_And_Cisco_Patching_More_Serious_Vu

Pending submission by SNAPI_Test at 2019-10-06 13:44:15
Software

Title: Life'S Certainties: Death, Taxes, And Cisco Patching More Serious Vulnerabilities

--- --- --- --- Entire Story Below - Must Be Edited --- --- --- --- --- --- ---

Arthur T Knackerbracket has found the following story [theregister.co.uk]:

Cisco has issued an update to address security flaws in three of its networking and security offerings.

Switchzilla's latest security bundle [cisco.com] includes fixes for 18 CVE-listed vulnerabilities in the firmware for the Adaptive Security Appliance, Firepower Management Center, and Firepower Threat Defense lines.

Administrators are advised to test and install the updates as soon as possible.

Among the most serious of the vulnerabilities is the pack of eight CVE-listed SQL injection flaws [cisco.com] in the Firepower Management Center.

In each case, a baddie would be able to send and execute arbitrary SQL commands via the web management console. The SQL commands would be able to do everything from view data on the device to modify files and even send commands to the operating system.

Firepower Management Center was also found to contain a separate command injection attack (CVE-2019-12690) and three remote code execution vulnerabilities (CVE-2019-12687, CVE-2019-12688, CVE-2019-12689.)

For Adaptive Security Appliance, each of the vulnerabilities describe denial of service flaws. While DoS is normally not a particularly major concern, when you're talking about a dedicated security appliance it means a complete breakdown in protection for other devices, and thus is a very significant danger.

Among the five CVE-listed bugs for ASA, the most serious appear to be CVE-2019-12673, CVE-2019-15256, and CVE-2019-12678. All three bugs can be triggered remotely by sending specially-crafted data packets to the vulnerable device.

Also of note was CVE-2019-12677, a flaw that lets a remote aggressor block SSL/TLS connections, and CVE-2019-12676, a flaw that lets a bad actor already on the local network order a restart of the device.

Finally, for Firepower Threat Defense, Cisco has issued patches that clean up a pair of container escape bugs (CVE-2019-12675, CVE-2019-12674) that would allow a black hat to break out of FTD's sandbox and execute commands on the host machine with root clearance.

Least an admins want to put these updates off until next week, keep in mind that on Tuesday Microsoft, Adobe, and SAP are all due to deliver their monthly Patch Tuesday update bundles. ®

Sponsored: Serverless Computing London - 6-8 Nov 2019 [theregister.co.uk]

Cisco has issued an update to address security flaws in three of its networking and security offerings.

Switchzilla's latest security bundle [cisco.com] includes fixes for 18 CVE-listed vulnerabilities in the firmware for the Adaptive Security Appliance, Firepower Management Center, and Firepower Threat Defense lines.

Administrators are advised to test and install the updates as soon as possible.

Among the most serious of the vulnerabilities is the pack of eight CVE-listed SQL injection flaws [cisco.com] in the Firepower Management Center.

In each case, a baddie would be able to send and execute arbitrary SQL commands via the web management console. The SQL commands would be able to do everything from view data on the device to modify files and even send commands to the operating system.

Firepower Management Center was also found to contain a separate command injection attack (CVE-2019-12690) and three remote code execution vulnerabilities (CVE-2019-12687, CVE-2019-12688, CVE-2019-12689.)

For Adaptive Security Appliance, each of the vulnerabilities describe denial of service flaws. While DoS is normally not a particularly major concern, when you're talking about a dedicated security appliance it means a complete breakdown in protection for other devices, and thus is a very significant danger.

Among the five CVE-listed bugs for ASA, the most serious appear to be CVE-2019-12673, CVE-2019-15256, and CVE-2019-12678. All three bugs can be triggered remotely by sending specially-crafted data packets to the vulnerable device.

Also of note was CVE-2019-12677, a flaw that lets a remote aggressor block SSL/TLS connections, and CVE-2019-12676, a flaw that lets a bad actor already on the local network order a restart of the device.

Finally, for Firepower Threat Defense, Cisco has issued patches that clean up a pair of container escape bugs (CVE-2019-12675, CVE-2019-12674) that would allow a black hat to break out of FTD's sandbox and execute commands on the host machine with root clearance.

Least an admins want to put these updates off until next week, keep in mind that on Tuesday Microsoft, Adobe, and SAP are all due to deliver their monthly Patch Tuesday update bundles. ®

Sponsored: Serverless Computing London - 6-8 Nov 2019 [theregister.co.uk]


Original Submission