Institute For Ethical Hacking Course and Ethical Hacking Training in Pune – India

Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

- cisco shutterstock - Cisco small biz switches open to hijacking via web UI –

Credits: The Register

Cisco has emitted a fresh round of updates to address holes in its network switches and controllers.

Switchzilla’s latest patch bundle includes six alerts for what it rates as critical issues, including flaws in its Small Business 220 Series switches and UCS Director software. Combined with Cisco’s fixes for ‘high’ and ‘moderate’ issues, the networking giant posted a total of 33 security alerts on Wednesday.

For the Small Business 220 Switches, a pair of patches address CVE-2019-1912, an authentication bypass flaw that lets an attacker inject a reverse shell through the web interface, and CVE-2019-1913, an remote code (as root) execution flaw also exploitable through the switch’s web management interface without any authentication.

Proof-of-concept exploit code exists for both flaws, we’re told, though Cisco says there are no reports of active malicious exploitation in the wild… yet. The holes were found and reported by an infosec bod using the handle bashis.

Also considered a priority are four critical patches for vulnerabilities in Cisco’s Unified Communications Service. Three of the patches (CVE-2019-1938CVE-2019-1974, and CVE-2019-1937) address authentication bypass flaws that would let an attacker get administrator privileges for UCS Director. A fourth UCS Director flaw, CVE-2019-1935, concerns default credentials that were left active.

Other notable patches include a fix for CVE-2019-1649, a Secure Boot flaw that would let an attacker with local access tamper with the firmware of ASA and Firepower switches, as well as more than 140 router models and several voice and unified communications devices.

Cisco is also taking the occasion to issue its patch for the Key Negotiation over Bluetooth (KNOB) security issue that was disclosed earlier this month. Switchzilla’s CVE-2019-9506 fix applies to Webex and IP phones that rely on encrypted Bluetooth connections that are susceptible to an where an interceptor would potentially be able to trick devices into issuing easy-to-crack wireless encryption keys.

Cisco’s Integrated Management Controller was a popular target this go-round, as Switchzilla addressed 14 different updates for the tool including privilege escalation (CVE-2019-1863), information disclosure (CVE-2019-1908), and denial of service (CVE-2019-12634.)

Admins are advised to test and install the patches as soon as possible.

- logo16 - Cisco small biz switches open to hijacking via web UI –

www.extremehacking.org

Sadik Shaikh | Cyber Suraksha AbhiyanEthical Hacking Training InstituteCEHv10CHFIECSAv10CASTENSACCNACCNA SECURITYMCITPRHCECHECKPOINT,  ASA FIREWALLVMWARECLOUDANDROIDIPHONENETWORKINGHARDWARETRAINING INSTITUTE IN PUNECertified Ethical HackingCSA Certified SOC AnalystCTIA EC-Council Certified Threat Intelligence AnalystCenter For Advanced Security Training in Indiaceh v10 course in Pune-Indiaceh certification in pune-Indiaceh v10 training in Pune-IndiaEthical Hacking Course in Pune-India



Source link

No tags for this post.

LEAVE A REPLY

Please enter your comment!
Please enter your name here