Critical vulnerabilities at Cisco, millions of vulnerable switches

You will have to patch your Cisco equipment. The equipment manufacturer has just made available a series of patches addressing 34 vulnerabilities in its products that affect including IOS and IOS XE, its network software. One of them seems particularly serious.

The CVE-2018-0171 is a vulnerability in Smart Install, a home-based client software that can quickly deploy new switches. Many routers and Cisco switches are supported by this software, which gives the vulnerability the danger score of 9.8 / 10. A remote attacker can exploit it to execute code or to trigger a denial of service.

According to Embedi, the company that discovered the vulnerability, millions of connected devices would be exposed, especially because Smart Install leaves open TCP port 4786 by default. A PoC (proof of concept) of an exploit code was published by the security editor, proof that we must not delay in patching.

It should be noted that Embedi discovered this flaw in May 2017 and communicated the details to Cisco last September ... It will be recalled that the US firm is accused of playing the watch in terms of patches. A previous fix corrected a major flaw in its firewalls (CVSS score of 10/10) was thus available 80 days before the Cisco warning.

No comments:

Post a Comment