Cisco has released three security advisories to address vulnerabilities.
Security advisory, cisco-sa-20100217-fwsm, addresses a vulnerability in the Cisco Firewall Services Module (FWSM) for the Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers. Successful and repeated exploitation of this vulnerability could result in a denial-of-service condition.
Security advisory, cisco-sa-20100217-asa, addresses multiple vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances. These vulnerabilities may allow an attacker to gain unauthorized access to an affected system or cause a denial-of-service condition.
Security advisory, cisco-sa-20100217-csa, addresses multiple vulnerabilities in the Cisco Security Agent. These vulnerabilities may allow an attacker to execute arbitrary SQL commands, view and download arbitrary files, or cause a denial-of-service condition.
US-CERT encourages users and systems administrators to review Cisco security advisory cisco-sa-20100217-fwsm, cisco-sa-20100217-asa, and cisco-sa-20100217-csa and apply any necessary updates to mitigate the risks.
Tag Archives: Cisco
Cisco Releases Multiple Security Advisories
Filed under Security Advisories
Tagged as 5500, advisory, ASA, Catalyst, Cisco, FWSM, security, Vulnerabilities
Tagged as 5500, advisory, ASA, Catalyst, Cisco, FWSM, security, Vulnerabilities
Cisco Releases Security Advisory for Unified MeetingPlace
Cisco has released a security advisory to address multiple vulnerabilities in Unified MeetingPlace. These vulnerabilities may allow a remote, unauthenticated attacker to obtain sensitive information, manipulate configuration data, create unauthorized accounts, operate with elevated privileges or cause a denial-of-service condition.
US-CERT encourages users and administrators to review Cisco security advisory cisco-sa-20100127-mp and apply any necessary updates to help mitigate the risks.
US-CERT encourages users and administrators to review Cisco security advisory cisco-sa-20100127-mp and apply any necessary updates to help mitigate the risks.
Cisco releases software updates to fix malware vulnerability
Filed under Security News
Tagged as buffer overflow, Cisco, malware, Player, videoconference, vulnerability, WebEx
Tagged as buffer overflow, Cisco, malware, Player, videoconference, vulnerability, WebEx
Cisco Systems this week announced the availability of patches for its WebEx Player software, which is used to record and play back data from videoconferences and online meetings.
The vulnerability is a buffer overflow issue, which can allow maliciously created files to temporarily enable the execution of remote code, allowing all manner of illicit access to affected machines. Experts say that such computers could be added to botnets, or make their users vulnerable to identity theft. Even if the remote code execution was unsuccessful - due to, for example, limited user access - the malware could still crash affected computers.
The company said that installations of the WebEx Player software that were automatically downloaded would update themselves without the need for user action, but that manual installations would require users to download the updates from Cisco's website and install them on their own.
ZDNet's Ryan Naraine says that companies who rely on WebEx for their day-to-day business should consider this update a critical one. Naraine reports that the fix targets six specific vulnerabilities that could be exploited in the same manner.
The vulnerability is a buffer overflow issue, which can allow maliciously created files to temporarily enable the execution of remote code, allowing all manner of illicit access to affected machines. Experts say that such computers could be added to botnets, or make their users vulnerable to identity theft. Even if the remote code execution was unsuccessful - due to, for example, limited user access - the malware could still crash affected computers.
The company said that installations of the WebEx Player software that were automatically downloaded would update themselves without the need for user action, but that manual installations would require users to download the updates from Cisco's website and install them on their own.
ZDNet's Ryan Naraine says that companies who rely on WebEx for their day-to-day business should consider this update a critical one. Naraine reports that the fix targets six specific vulnerabilities that could be exploited in the same manner.
Want to secure your iPhone against intruders? There’s an app for that
Cisco Systems today released a free iPhone app that will allow users to receive security updates and the latest news on web threats, as well as aggregating additional security related content for iPhone users.
According to CNET security correspondent Elinor Mills, the app will draw on data from Cisco's Security Intelligence Operations (SIO) system, which itself collects real-time information from 700,000 sensors located at important locations throughout the internet. Mills says that Cisco uses this data to detect spam campaigns and various types of malware attack.
The SIO To Go app will also allow users to investigate websites and email addresses from their iPhones, comparing the data to watch lists maintained by Cisco's SIO. Cisco executive Marie Hattar said that "[the app] improves the means by which IT departments are alerted to threats, and it provides added confidence and device flexibility as Cisco customers are shielded from these breaches."
Jailbroken iPhones have made security headlines in recent weeks as malware programmers exploited loopholes to create the first two iPhone worms found in the wild.
According to CNET security correspondent Elinor Mills, the app will draw on data from Cisco's Security Intelligence Operations (SIO) system, which itself collects real-time information from 700,000 sensors located at important locations throughout the internet. Mills says that Cisco uses this data to detect spam campaigns and various types of malware attack.
The SIO To Go app will also allow users to investigate websites and email addresses from their iPhones, comparing the data to watch lists maintained by Cisco's SIO. Cisco executive Marie Hattar said that "[the app] improves the means by which IT departments are alerted to threats, and it provides added confidence and device flexibility as Cisco customers are shielded from these breaches."
Jailbroken iPhones have made security headlines in recent weeks as malware programmers exploited loopholes to create the first two iPhone worms found in the wild.
Cisco wireless LAN access points vulnerable to hacker attack
Filed under Security News
Tagged as access point, AirMagnet, AP, Cisco, flaw, LAN, OTAP, Over-the-Air-Provisioning, security, wireless
Tagged as access point, AirMagnet, AP, Cisco, flaw, LAN, OTAP, Over-the-Air-Provisioning, security, wireless
Security researchers at AirMagnet have uncovered a security flaw in Cisco's wireless LAN infrastructure that could allow a hacker to hijack a wireless access point to gain access to a customer's network.
The vulnerability involves Cisco's Over-the-Air-Provisioning (OTAP) feature found in its wireless access points (APs). The OTAP feature allows a Cisco AP that is not connected to a Cisco controller to listen to traffic from other nearby Cisco APs and use that information to quickly locate a nearby WLAN controller to associate to.
AirMagnet said there is an unintentional exposure or leakage of information in all lightweight Cisco APs and the potential for APs to be incorrectly assigned to an outside Cisco controller (what the researchers call "SkyJacked") either by accident or at the direction of a potential hacker.
The potential exists for the Cisco AP to "hear" multicast traffic from a neighboring network and incorrectly connect to a neighbor or otherwise unapproved Cisco controller. This ultimately could lead to an enterprise's access point connecting outside of the company to an outside controller and therefore being under outside control.
This same mechanism could be done intentionally by a hacker to purposely SkyJack APs and take control of an enterprise's access point.
AirMagnet said it has informed Cisco of this vulnerability and potential exploit. Cisco is "taking appropriate actions."
The vulnerability involves Cisco's Over-the-Air-Provisioning (OTAP) feature found in its wireless access points (APs). The OTAP feature allows a Cisco AP that is not connected to a Cisco controller to listen to traffic from other nearby Cisco APs and use that information to quickly locate a nearby WLAN controller to associate to.
AirMagnet said there is an unintentional exposure or leakage of information in all lightweight Cisco APs and the potential for APs to be incorrectly assigned to an outside Cisco controller (what the researchers call "SkyJacked") either by accident or at the direction of a potential hacker.
The potential exists for the Cisco AP to "hear" multicast traffic from a neighboring network and incorrectly connect to a neighbor or otherwise unapproved Cisco controller. This ultimately could lead to an enterprise's access point connecting outside of the company to an outside controller and therefore being under outside control.
This same mechanism could be done intentionally by a hacker to purposely SkyJack APs and take control of an enterprise's access point.
AirMagnet said it has informed Cisco of this vulnerability and potential exploit. Cisco is "taking appropriate actions."
Spam and cyberscams follow techniques of legitimate business
Filed under Security News
Tagged as botnet, Cisco, cyberscams, malware, report, SaaS, spam, techniques
Tagged as botnet, Cisco, cyberscams, malware, report, SaaS, spam, techniques
Cybercriminals such as the botnet operators who unleash spam and malware increasingly borrow techniques from legitimate businesses to make their attacks more effective, according to the mid-year web security report from Cisco.
Driven by the bottom line, cybercriminals have been forming partnerships with one another to help make their illegal activities more lucrative. Botnet owners are renting out their networks of compromised PCs, effectively using the software-as-a-service (SaaS) model to spread spam and malware.
"What is striking in our latest findings is how, in addition to using their technical skills to cast a wide net and avoid detection, these criminals are also demonstrating some strong business acumen," said
Patrick Peterson, Cisco fellow and chief security researcher.
Other tactics of spammers include what Cisco calls "spamdexing," or the use of Blackhat SEO for drawing web traffic to compromised websites. By loading up sites with keywords or search terms, cybercriminals get their hacked sites higher up in search engine rankings.
Traditional spam is now being rivaled by SMS spam on mobile devices. Cisco describes the rapidly growing mobile device audience as a "new frontier for fraud irresistible to criminals," with a field of some 4.1 billion mobile phone subscriptions worldwide.
Driven by the bottom line, cybercriminals have been forming partnerships with one another to help make their illegal activities more lucrative. Botnet owners are renting out their networks of compromised PCs, effectively using the software-as-a-service (SaaS) model to spread spam and malware.
"What is striking in our latest findings is how, in addition to using their technical skills to cast a wide net and avoid detection, these criminals are also demonstrating some strong business acumen," said
Patrick Peterson, Cisco fellow and chief security researcher.
Other tactics of spammers include what Cisco calls "spamdexing," or the use of Blackhat SEO for drawing web traffic to compromised websites. By loading up sites with keywords or search terms, cybercriminals get their hacked sites higher up in search engine rankings.
Traditional spam is now being rivaled by SMS spam on mobile devices. Cisco describes the rapidly growing mobile device audience as a "new frontier for fraud irresistible to criminals," with a field of some 4.1 billion mobile phone subscriptions worldwide.
DTP – Share it!
0
Filed under Articles
Tagged as Cisco, DTP, firewall, internal network, Internal Pentests, Layer 2, network protocols, specific protocol
Tagged as Cisco, DTP, firewall, internal network, Internal Pentests, Layer 2, network protocols, specific protocol
Overview
The one thing that is always overlooked, when someone tries to secure a network, is the user side. It is rare to see a DMZ network, that is protected by a firewall from the users. The general idea is that if you are an internal user, you have legitimate access to the servers, so there is no need to protect them from you. In this article we will discuss a frequently overlooked feature of Cisco switches called DTP, we will explain why is it dangerous and what are the steps to disable it.
In some rare occasions, the IT security people have done their job right and limited the access from internal users to the servers in the internal or external DMZ. This ofcourse will make it harder for a penetration tester to find something interesting to put in the report. Only if he could jump in the VLAN with the servers, so there is no firewall in the way …
Well, maybe it is time to look at the Layer 2 side of the network. You might happen to know that by default Cisco switches don’t put their ports in access mode, with the idea that if you happen to connect two switches, they can automatically reconfigure the ports that connect them in trunk mode, so you can share VLANs between them. The proprietary protocol that negotiates that is called DTP, which stands for Dynamic Trunking Protocol.
Yersinia is a network tool designed to take advantage of some weaknesses or misconfiguration in different network protocols (STP, CDP, DTP, DHCP, HSRP, ISL, VTP). Lets try it out:
$ sudo yersinia -I
Just remember to maximize your console window in case that you use KDE or GNOME or something else, as yersinia will refuse to start if the window is too small. You can use the F1 to F10 keys to cycle through the different windows and each window shows information for a specific protocol, if it is detected to be enabled on the network. In our example we will focus on the DTP window and we’ll hope that we see some activity there. If this is the case, we will see some lines with ACCESS/DESIRABLE in them, which represents the current state of the port.
All we need to do now is to press ‘x‘ to execute an attack and select ‘1‘ in order to try and enable trunking. If you see a couple of lines with ‘TRUNK/DESIRABLE‘ this most probably means that the attack is successful. Now if you go to the 802.1Q window, you should be able to see all the VLANs that are enabled on the switch and even the IP ranges that are used in them. After that joining a VLAN is trivial:
$ sudo modprobe 8021q
$ sudo vconfig add eth0 4
$ sudo ifconfig eth0.4 10.0.0.199 netmask 255.255.255.0 up
In this example ‘8021q’ is the module that enables vlan support in Linux, ‘4′ is the VLAN> number and ‘10.0.0.199′ is the IP address assigned. Just remember that you need to leave yersinia running, in order to keep the port in trunk mode.
The solution of this problem is actually quite simple – just put all client ports in access mode. The following commands executed for every client port will do just that:
# switchport mode access
# switchport access vlan x
# switchport nonegotiate