Search This Blog

Showing posts with label Cisco. Show all posts

Phishing Emails Faking Voicemails aim to Steal Your Data

 

Vishing is the practice of sending phishing emails to victims that appear to be voicemail alerts to acquire their Microsoft 365 and Outlook login information. Researchers at Zscaler's ThreatLabz said this email campaign, which resembles phishing emails from a few years ago, was discovered in May and is still active. 

The researchers stated this month that the recent wave targets US organizations across various industries, including software security, security solution providers, the military, healthcare and pharmaceuticals, and the manufacturing and shipping supply chain. 

An email is where it all begins

Attackers inform recipients of missed voicemails via email notifications that contain links to web-based attachments. Although many people don't check voicemail, audio messages on LinkedIn and WhatsApp have been there for a while, so using them to deceive consumers into clicking a link in an email can be successful. 

Naturally, when the target clicks the link, they are taken to a credential phishing web page hosted on Japanese servers rather than a voicemail at all. The user gets directed to the Microsoft Office website or the Wikipedia page if the encoded email address at the end of the URL is missing.

The user is shown the final page, which is an Office 365 phishing page after they have correctly supplied the CAPTCHA information. The 2020 campaign Zscaler tracked using the same approach. 

"Since they can persuade the victims to open the email attachments, voicemail-themed phishing attacks continue to be an effective social engineering strategy for attackers. This, together with the use of evasion techniques to get around automatic URL inspection tools, aids the threat actor in acquiring the users' credentials more successfully "reports Zscaler ThreatLabz

Microsoft 365 Remains a Popular Victim 

In a 2022 Egress research titled "Fighting Phishing: The IT Leader's View," it was found that 40% of firms utilizing Microsoft 365 reported becoming victims of credential theft, and 85% of organizations using Microsoft 365 reported being victims of phishing in the previous 12 months. 

As the majority of businesses quickly transitioned to a primarily remote-work style, with many workers working from their homes, phishing usage continued to increase. It peaked during the peak of the COVID-19 pandemic in 2020 and 2021. 

A substantial majority of credentials have been successfully compromised by the effort, which can be utilized for a number of different cybercrime endgames. These consist of taking control of accounts to gain access to files and data theft to send malicious emails that appear to be from a legitimate organization, and implanting malware,. The goal is to trick victims into using the same passwords for several accounts by adding the user ID/password combinations to credential-stuffing lists. 

A rich mine of data that may be downloaded in bulk can usually be found in Microsoft 365 accounts, according to Robin Bell, CISO of Egress. Hackers may also use compromised Microsoft 365 accounts to send phishing emails to the victim's contacts in an effort to boost the success of their attacks.

11 High-Severity Flaws in Security Products Patched by Cisco

 

This week, Cisco released its April 2022 bundle of security advisories for Cisco Adaptive Security Appliance (ASA), Firepower Threat Defense (FTD), and Firepower Management Center (FMC). 

The semiannual bundled advisories include a total of 19 flaws in Cisco security products, with 11 of them being classified as "high severity." 

CVE-2022-20746 (CVSS score of 8.8) is the most serious of these, an FTD security vulnerability that occurs because TCP flows aren't appropriately handled and might be exploited remotely without authentication to generate a denial of service (DoS) condition. 

“An attacker could exploit this vulnerability by sending a crafted stream of TCP traffic through an affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition,” Cisco explains in an advisory. 

With the introduction of FDT versions 6.6.5.2 and 7.1.0.1, the IT giant has addressed the problem. Fixes will also be included in FDT releases 6.4.0.15 and 7.0.2, which will be released next month. Several more DoS vulnerabilities, all rated "high severity," were fixed with the same FDT releases, including ones that affect ASA as well. They were addressed in ASA releases 9.12.4.38, 9.14.4, 9.15.1.21, 9.16.2.14, and 9.17.1.7. Other problems fixed by these software upgrades could result in privilege escalation or data manipulation when using an IPsec IKEv2 VPN channel.

Cisco also fixed an ASA-specific flaw that allowed an attacker to access sensitive information from process memory. Firepower Management Center (FMC) releases 6.6.5.2 and 7.1.0.1, as well as the future releases 6.4.0.15 and 7.0.2, resolve a remotely exploitable security protection bypass flaw, as per the tech giant. 

Cisco stated, “An attacker could exploit this vulnerability by uploading a maliciously crafted file to a device running affected software. A successful exploit could allow the attacker to store malicious files on the device, which they could access later to conduct additional attacks, including executing arbitrary code on the affected device with root privileges."

Fixes for eight medium-severity vulnerabilities in these security products are included in the company's semiannual bundled publishing of security advisories. Cisco is not aware of any attacks that take advantage of these flaws.

Malicious Emails have the Potential to Bring Down Cisco Email Security Appliances

 

Cisco notified customers this week that its Email Security Appliance (ESA) product is vulnerable to a high-severity denial of service (DoS) vulnerability that may be exploited using specially crafted emails. The CVE-2022-20653 vulnerability affects the DNS-based Authentication of Named Entities (DANE) email verification component of Cisco AsyncOS Software for ESA. It is remotely exploitable and does not require authentication. 

This vulnerability is caused by the software's insufficient error handling in DNS name resolution. An attacker could take advantage of this flaw by sending specially crafted email messages to a device that is vulnerable. A successful exploit could allow the attacker to make the device unavailable from management interfaces or to process additional email messages for a period of time until the device recovers, resulting in a denial of service (DoS) issue. Repeated attacks could render the gadget fully inoperable, resulting in a persistent DoS condition, said the company. 

This vulnerability affects Cisco ESA devices running a vulnerable version of Cisco AsyncOS Software with the DANE functionality enabled and downstream mail servers configured to deliver bounce messages. 

Customers can prevent exploitation of this vulnerability by configuring bounce messages from Cisco ESA rather than downstream reliant mail servers. While this workaround has been deployed and confirmed to be functional in a test environment, users should evaluate its relevance and efficacy in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation deployed may have a negative impact on network functioning or performance due to inherent customer deployment circumstances and limitations.

"Cisco has released free software updates that address the vulnerability described. Customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels. Customers may only install and expect support for software versions and feature sets for which they have purchased a license," the company said. 

Cisco has given credit to numerous persons who worked with the Dutch government's ICT services company DICTU for reporting the security flaw. According to the networking behemoth, there is no evidence of malicious exploitation. 

Cisco also issued two advisories this week, informing users of medium-severity issues impacting Cisco RCM for Cisco StarOS software (DoS vulnerability), as well as Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager (XSS vulnerability).

Malware Abcbot Related to the Xanthe Cryptomining Bug Developer's

 

Abcbot, the newly discovered botnet has a longer history than what was originally believed. The Xanthe-based cryptojacking campaign found by Cisco's Talos security research team in late 2020 has a clear link, according to the ongoing examination of this malware family. When Talos was notified of an intrusion on one of their Docker honeypots, they discovered malware that looked like a bitcoin mining bot. 

The virus is known as Xanthe, and its main goal is to mine cryptocurrency using the resources of a compromised system. Based on the findings, the same threat actor is behind both Xanthe and Abcbot, and its goal has shifted from mining cryptocurrency on compromised hosts to more classic botnet activity like DDoS attacks.

Abcbot attacks, first reported by Qihoo 360's Netlab security team in November 2021, are triggered by a malicious shell script that targets insecure cloud instances operated by cloud service providers such as Huawei, Tencent, Baidu, and Alibaba Cloud to download malware that co-opts the machine to a botnet but not before terminating processes from competing threat actors and establishing persistence. The shell script in question is an updated version of one found by Trend Micro in October 2021, which targeted Huawei Cloud's vulnerable ECS instances. 

Further investigation of the botnet, which included mapping all known Indicators of Compromise (IoCs) such as IP addresses, URLs, and samples, revealed Abcbot's code and feature-level similarities to that of a cryptocurrency mining operation known as Xanthe, which spread the infection using incorrectly configured Docker implementations. 

The semantic similarities between the two malware families range from the way the source code is formatted to the names given to the routines, with some functions having not only identical names and implementations (e.g., "nameservercheck"), but also have the word "go" appended to the end of the function names (e.g., "filerungo"). According to experts, Abcbot also contains spyware that allows four malicious users to be added to the hacked machine: 
  • Logger 
  • Ssysall 
  • Ssystem 
  • sautoupdater 
Researchers believe that there are substantial links between the Xanthe and Abcbot malware families, implying that the same threat actor is involved. The majority of these would be difficult and inefficient to recreate identically, including string reuse, mentions of shared infrastructure, stylistic choices, and functionality that can be seen in both instances. If the same threat actor is behind both campaigns, it signals a shift away from cryptocurrency mining on compromised devices and toward botnet-related operations like DDoS attacks.

Cisco Vulnerability Damages the Firewall

 

Positive Technologies threat experts have warned that a defect identified this week in Cisco's Firepower Threat Defense (FTD) and Adaptive Security Appliance (ASA) firewalls could potentially contribute to denial-of-service (DoS) attacks. 

As per Positive Technologies expert Nikita Abramov, the high-severity bug (CVE-2021-34704) does not demand elevated privileges or specific access to attack. An attacker only needs to create a demand wherein one of the portions is larger than the device expects. 

According to Cisco, the flaw is the consequence of poor input validation while parsing HTTPS queries. The problem, if abused, might allow an attacker to compel the device to restart, culminating in a DoS circumstance, according to the vendor. 

This has the potential to have a significant effect on the business., noted Abramov. “If attackers disrupt the operation of Cisco ASA and Cisco FTD, a company will be left without a firewall and remote access,” he wrote in a research note. 

“If the attack is successful, remote employees or partners will not be able to access the internal network of the organization, and access from outside will be restricted. At the same time, firewall failure will reduce the protection of the company.” 

Cisco has already fixed the flaw in the most recent versions of its ASA and FTD firmware. 

Positive Technologies further advises concerned clients to use security information and event management (SIEM) solutions to prevent and identify breaches.

The vendor addressed a bug in its Firepower Devices Manager (FDM) and On-Box software in August, allowing the researcher to take complete control of the company's Firepower next-generation firewalls. 

The vulnerability, identified by Abramov and threat researcher Mikhail Klyuchnikov, received a severity score of 6.3 on the standard vulnerability ranking methodology. 

The vulnerability exploited another flaw in Cisco's FDM On-Box representational state transfer (REST) API, allowing intruders to execute arbitrary code on a compromised device's operating system.

“To exploit this vulnerability, all attackers need to do is to obtain credentials of a user with low privileges and send a specially crafted HTTP request,” Abramov wrote. “From a technical standpoint, the vulnerability is caused by insufficient user input validation for some REST API commands.”

Cisco SD-WAN Security Flaw Allows Root Code Execution

 

Cisco SD-WAN implementations are vulnerable to a high-severity privilege-escalation flaw in the IOS IE operating system, which could result in arbitrary code execution. 

Cisco's SD-WAN portfolio enables enterprises of all sizes to link different office sites over the cloud utilising a variety of networking technologies, including standard internet connections. Appliances at each location allow advanced analytics, monitoring, application-specific performance specifications and automation throughout a company's wide-area network. Meanwhile, IOS XE is the vendor's operating system that runs those appliances. 

The vulnerability (CVE-2021-1529) is an OS command-injection flaw that allows attackers to execute unexpected, harmful instructions directly on the operating system that would otherwise be inaccessible. It exists especially in the command-line interface (CLI) for Cisco's IOS XE SD-WAN software, and it could permit an authenticated, local attacker to run arbitrary commands with root privileges. 

According to Cisco’s advisory, posted this week, “The vulnerability is due to insufficient input validation by the system CLI. A successful exploit could allow the attacker to execute commands on the underlying operating system with root privileges.” 

The alert further stated that the exploit method would comprise authenticating to a susceptible device and delivering "crafted input" to the system CLI. An attacker with successful compromise would be able to read and write any files on the system, execute operations as any user, modify system configurations, install and uninstall software, update the OS and/or firmware, and much more, including subsequent access to a corporate network. 

CVE-2021-1529 has a rating of 7.8 on the CVSS vulnerability-severity scale, and researchers and the Cybersecurity and Infrastructure Security Agency (CISA) have advised organisations to fix the problem as soon as possible. 

Greg Fitzgerald, the co-founder of Sevco Security, cautioned that some firms may still have outdated machines connected to their networks, which might provide a hidden threat with issues like these. 

He stated in the email, “The vast majority of organizations do an excellent job patching the vulnerabilities on the systems they know about. The problem arises when enterprises do not have complete visibility into their asset inventory, because even the most responsive IT and security teams can’t patch a vulnerability for an asset they don’t know is connected to their network. Abandoned and unknown IT assets are often the path of least resistance for malicious actors trying to access your network or data.”

This is solely the latest SD-WAN vulnerability addressed by Cisco this year. It patched many significant buffer-overflow and command-injection SD-WAN flaws in January, the most serious of which could be abused by an unauthenticated, remote attacker to execute arbitrary code with root privileges on the affected server.

Cisco Releases Patches for Several High Severity Vulnerabilities

 

This week, Cisco addressed a number of high-severity flaws in its Web Security Appliance (WSA), Intersight Virtual Appliance, Small Business 220 switches, and other products. If all of these issues are successfully exploited, attackers may be able to cause a denial of service (DoS), perform arbitrary commands as root, as well as obtain administrator rights. 

Two high-severity vulnerabilities (CVE-2021-34779 and CVE-2021-34780) were discovered within the implementation of the Link Layer Discovery Protocol (LLDP) for Small Business 220 series smart switches, allowing arbitrary code execution and a denial of service condition. The business switch series software update additionally fixes four medium-severity security issues that could cause LLDP storage destruction on a vulnerable device. 

Inadequate input validation inside the Intersight Virtual Appliance is another serious flaw. The security vulnerability, identified as CVE-2021-34748, could allow arbitrary instructions to be executed with root rights. 

Cisco further patched two high-severity flaws in its ATA 190 series and ATA 190 series multiplatform (MPP) software this week. The issues, identified as CVE-2021-34710 and CVE-2021-34735, might be used to execute malicious code and create a denial of service (DoS) scenario, accordingly. 

One of these flaws was disclosed to Cisco by firmware security company IoT Inspector, which published an alert on Thursday 7th of October, detailing its observations. 

Cisco has fixed a race issue in the AnyConnect Secure Mobility Client for Linux and macOS that could've been exploited to execute arbitrary code having admin rights, as well as an inappropriate memory management vulnerability in AsyncOS for Web Security Appliance (WSA) that might result in DoS. 

CVE-2021-1594, an inadequate input validation vulnerability in the REST API of Cisco Identity Services Engine, is yet another high-severity weakness patched this week (ISE). An intruder in a man-in-the-middle position might leverage the issue to execute arbitrary instructions with root access by decrypting HTTPS data between two ISE personas on different nodes. 

Cisco also provided fixes for TelePresence CE and RoomOS, Smart Software Manager On-Prem, 220 series business switches, Identity Services Engine, IP Phone software, Email Security Appliance (ESA), DNA Center, and Orbital, which all have moderate issues. However, Cisco has issued patches for all these flaws and claims that exploits for them have not been publicly revealed.

Cisco Published Two Critical and Six High-Severity Patches for Nexus Gear

 

The American multinational technology conglomerate corporation Cisco Systems, based in San Jose, California - has published six security patches for its high-end 9000 series networking gear, spanning in severity from critical, high, and medium. 

Cisco Systems designs, produce and distributes networking gear, software, telecom equipment, and a variety of other high-tech products and services. 

Cisco fixed one of the most critical flaws (ranked 9.1 out of 10) that might enable a hostile and unauthorized attacker to read or write arbitrary files on an application protocol interface used in Cisco 9000 series switches meant to operate its software-defined networking data center solutions. 

Cisco additionally patched two high-severity Nexus 9000 flaws (CVE-2021-1586 and CVE-2021-1523) as well as three medium-severity flaws (CVE-2021-1583, CVE-2021-1584, CVE-2021-1591). Each of the high-severity flaws (also with a CVSS base score of 8.6) are denial of service issues. 

The significant vulnerability, CVE-2021-1577, patched affects the Cisco Application Policy Infrastructure Controller (APIC) and the Cisco Cloud Application Policy Infrastructure Controller (Cloud APIC). APIC is the primary architectural element of the Cisco Application Centric Infrastructure, which is operated on a Cisco Nexus 9000 Series node.

In a variety of diminutive form factors, the Cisco Nexus 9000 Series combines established high performance and compactness, low latency, and outstanding power efficiency. They can run in either Cisco NX-OS Software or Application Centric Infrastructure (ACI) mode. They are suitable for both conventional and completely automated data center setups. 

Cisco describes a second high-severity Nexus 9000 series flaw as a loophole within the Fabric Switches ACI Mode Queue Wedge. 

“This vulnerability is due to improper access control. An attacker could exploit this vulnerability by using a specific API endpoint to upload a file to an affected device,” wrote Cisco in its Wednesday security bulletin. Affected products are Cisco APIC and Cisco Cloud APIC. 

Cisco stated that countermeasures are present for each of the flaws and that it is unaware of any widely available exploits for all those problems that have been fixed, as with all of the flaws and solutions published on Wednesday. The fix released on Wednesday 25th of August was included in the Cisco "bundled publication" of security improvements for its Firepower eXtensible Operating System and Linux kernel compatible NX-OS software. 

“A vulnerability in the Multi-Pod or Multi-Site network configurations for Cisco Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) mode could allow an unauthenticated, remote attacker to unexpectedly restart the device, resulting in a denial of service (DoS) condition,” wrote Cisco. 

Following the implementation of the patches, Cisco advises that the solution for this flaw needs “a manual intervention to power-cycle the device to recover.” Fabric switches from the generation 1 model N9K (Nexus 9000) series are the ones compromised.

Cisco: Firewall Manager RCE Flaw is a Zero-day, Patch Arriving Soon

 

In a Thursday security advisory update, Cisco disclosed that a remote code execution (RCE) vulnerability discovered last month in the Adaptive Security Device Manager (ADSM) Launcher is a zero-day flaw that is yet to be patched. 

Cisco ADSM is a firewall appliance manager that controls Cisco Adaptive Security Appliance (ASA) firewalls and AnyConnect Secure Mobility clients via a web interface. 

As per the updated advisory, "At the time of publication, Cisco planned to fix this vulnerability in Cisco ASDM. Cisco has not released software updates that address this vulnerability. There are no workarounds that address this vulnerability." 

The business also modified the list of compromised ADSM software versions from '9.16.1 and earlier'—as mentioned in the first advisory—to '7.16(1.150) and earlier' in a recent update. 

Incorrect signature verification for code shared between the ASDM and the Launcher caused the zero-day flaw, which is tracked as CVE-2021-1585. 

With the rights granted to the ASDM Launcher, successful exploitation could permit an unauthenticated attacker to remotely launch arbitrary code on a target's operating system. 

As Cisco explained in the updated advisory, "An attacker could exploit this vulnerability by leveraging a man-in-the-middle position on the network to intercept the traffic between the Launcher and the ASDM and then inject arbitrary code." 

"A successful exploit may require the attacker to perform a social engineering attack to persuade the user to initiate communication from the Launcher to the ASDM." 

Furthermore, according to the firm, its Product Security Incident Response Team (PSIRT) is not informed of any proof-of-concept attacks for zero-day or threat actors utilizing it in the open. 

Cisco patched a six-month-old zero-day vulnerability (CVE-2020-3556) in the Cisco AnyConnect Secure Mobility Client VPN software three months ago, using publicly accessible proof-of-concept exploit code. 

While proof-of-concept exploit code was publicly accessible when the problem was discovered, Cisco PSIRT also said that there was no indication of in the wild exploitation. 

Cisco reported the zero-day vulnerability in November 2020, without issuing any security patches to fix the fundamental flaw, although it did offer mitigation techniques to reduce the attack surface. No active exploitation was reported before CVE-2020-3556 was fixed in May, most likely because default VPN setups were prone to attacks and the vulnerability could only be exploited by authenticated local attackers. 

However, after Positive Technologies' Offensive Team revealed a proof-of-concept vulnerability last month, attackers pounced on a Cisco ASA flaw (partially fixed in October 2020 and fully resolved in April 2021).

Cisco Smart Switches Detected with Vulnerabilities

 

In Cisco's Small Business 220 Series smart switches a researcher has uncovered various vulnerabilities, especially those with high severity assessments. This Monday, the networking giant advised its consumers that patches for these vulnerabilities are available. 

The impact switch runs firmware versions earlier than 1.2.0.6 and has the web-based management interface enabled. 

Cisco Systems, Inc. is a US conglomerate based in San Jose, California, in the Silicon Valley center. Cisco designs manufacture and distribute high-tech services and products for networking hardware, software, telecommunications equipment, and others. 

Security researcher Jasper Lievisse Adriaanse has identified the vulnerabilities. He discovered four kinds of safety holes on the small enterprise switch as published in a notice by Cisco. 

One can be used by a remote, unverified attacker, tracked as CVE-2021-1542, which is rated as high severity to take over the user session and obtain access to the web portal of a switch. The attacker could acquire managerial access to the management interface, based on the rights of the potential customer. 

Another high-severity problem is CVE-2021-1541, which enables a remote device attacker with admin access to perform arbitrary root-privileged commands on the operating system underneath it. 

The two other weaknesses identified by the investigator, both of which were Cisco's medium severity, might allow a remote attacker to initiate XSS (CVE-2021-1543) or HTML injection attacks (CVE-2021-1571). 

“[In the case of the] XSS flaw, the vector which I tested and verified was by exploiting a vulnerability in how certain packets which are only valid on the same L2 domain are parsed,” Adriaanse explained. 

He added, “It should be possible, if you’re on the same L2 domain, to perform the XSS attack through CVE-2021-1543, obtain the CSRF token and perform arbitrary actions as the logged-in user. As I don’t write a lot of Javascript I didn’t attempt to write a payload to subsequently exploit CVE-2021-1541. Note however that due to lacking Content-Security-Policy headers you can use CVE-2021-1543 to include remote Javascript code. So you’re not limited by the packet size of the abused L2 protocol. I guess with enough experience and determination one could concoct a payload to do anything in the UI.” 

The XSS defect is due to inspections by the web-based management interface of the device being submitted by the user. An attacker could use this error by deceiving the victims into clicking a malicious link and accessing a certain page. The attacker may induce weakness in running arbitrary script code in connection with the affected interface or access sensitive, browser-based information. 

The HTML Injection Vulnerability is caused by faulty parameter checks on affected pages. In order to address certain vulnerabilities, Cisco has published software updates. 

Cisco Smart Install Protocol is Still Being Exploited in Cyber-Attacks

 

Five years after Cisco issued its first warning, the Smart Install protocol is still being utilized in assaults, and there are around 18,000 internet-exposed devices that might be targeted by hackers. Smart Install is a plug-and-play configuration and image-management technology from Cisco that allows new switches to be deployed with zero-touch. Smart Install can be extremely important to organizations, but it can also be a significant security concern. 

A Smart Install network consists of a group of networking devices known as clients that are served by a common Layer 3 switch or router that serves as a director. You can use the Zero-Touch Installation process in a Smart Install network to install new access layer switches without the help of the network administrator. The director acts as a central management point for client switch images and configuration. When a new client switch is added to the network, the director immediately recognizes it and determines which Cisco IOS image and configuration file should be downloaded. 

The function remains enabled and can be accessed without authentication once a device has been set up via Smart Install. Malicious actors have been able to remotely target devices with Smart Install enabled, including reloading devices, loading a new operating system image, and running arbitrary commands with elevated privileges. 

After an exploitation tool was made public in 2016, Cisco issued a warning on the misuse of Smart Install. In 2017 and 2018, the company sent more alerts, identifying hundreds of thousands of vulnerable devices, including those in critical infrastructure organizations. In 2018, it was revealed that hacktivists targeted the Smart Install function in assaults on Cisco switches in Iran and Russia as part of an ostensibly pro-US attack, as well as a state-sponsored cyberespionage group affiliated to Russia. 

In 2016, the number of networking equipment vulnerable to Smart Install assaults surpassed 250,000, but by 2018 it had reduced to 168,000. The Shadowserver Foundation is still keeping track of the number of potentially susceptible devices, reporting that almost 18,000 are currently online, including many in North America, South Korea, the United Kingdom, India, and Russia. 

Last month, Lumen Technologies' Black Lotus Labs cybersecurity unit discovered that a hacktivist group had compromised at least 100 internet-exposed routers belonging to both public and private sector entities, most of which were based in the United States.

Cisco Discovers High-Severity Flaws in its Software

 

The IT and networking giant Cisco has outlined multiple vulnerabilities in its Webex, SD-WAN, and ASR 5000 devices, that could potentially allow an arbitrary code execution by the attackers for the legitimate reason. 

Although Cisco has provided patches for a wide range of vulnerabilities, particularly updates for high-risk issues in the widely used Webex Player, SD-WAN, and ASR 5000 Series. 

A total of three flaws of high severity ( CVSS score of 7.8 ) have been addressed and patched for Windows and macOS in Webex Player, two of those also compromise the operating systems' Webex Network Recording Player. 

The first bug, CVE-2021-1526, is a problem of memory degradation that can be exploited by arbitrary code on a vulnerable computer. Manipulated Webex Recording Format(WRF) files could misuse the vulnerabilities. 

The problem affects the Cisco Webex Player for Windows and macOS launches before the 41.5 version of it but does not influence the Webex Network Recording Player. 

Memory corruption problems that harm both the Webex Network Recording Player and Webex Player are indeed the following two vulnerabilities - the CVE-2021-1502 and the CVE-2021-1503 - on Windows and macOS both. 

Both can be used to arbitrarily execute code on the system concerned. Both of these issues are resolved in version 41.4 of Webex player and Webex Network Recording Player. 

In addition, recently, Cisco issued updates for SD-WAN software CVE-2021-1528 a high risk (CVSS score of 7.8), that might be used to get high privileges on a vulnerable server. This bug affects the SD-WAN versions 20.4 and 20.5 (vBond Orchestrator, vEdge Cloud, and vEdge Routers and vManage, vSmart Controller) but has been addressed with version 20.4.2 and 20.5.1 of SD-WAN. 

Cisco has also issued updates that might be leveraged to bypass permission and execute CLI commands on a damaged computer for several vulnerabilities in the ASR 5000 Series Software (StarOS). CVE 2021-1539 is the most significant of these defects (CVSS score of 8.1). 

Cisco urges consumers to upgrade to each product's patched versions as soon as possible. Furthermore, the corporation emphasizes that it is not known that these vulnerabilities are exploited in attacks. Cisco has also released information on other medium-risk vulnerabilities affecting its portfolio of different products, including Webex Meetings, Webex Player, ThousandEyes Recorder, IP cameras Video Surveillance 7000, and Common Services Platform Collector (CSPC). 

The Company also highlighted that several vulnerabilities detected in the frame aggregation and fragmentation features following 802.11 standards have affected several of its products. An attacker could easily misuse such defects to forge encrypted frameworks and to exfiltrate sensitive device data.

BGP Leak Causes 13x Spike in Misdirected Traffic

 

An enormous BGP routing leak that occurred on 16th April 2021 disrupted the connectivity for a great many significant organizations and sites all across the planet. Albeit the BGP routing leak happened in Vodafone's independent network (AS55410) situated in India, it has affected U.S. organizations, including Google, as indicated by sources. 
 
BGP or Border Gateway Protocol is the thing that makes the modern-day internet work. It is akin to having a "postal system" for the web that works with the redirection of traffic from one (autonomous) system of networks to another. The web is a network of networks, and for instance, a client situated in one nation needed to get to a site situated in another, there must be a system set up that understands what ways to take while diverting the client across different networked systems. And, that is the reason for BGP: to coordinate web traffic effectively over different ways and systems between the source and destination to make the internet function.

On 16th April 2021, Cisco's BGPMon detected a disparity in an internet routing system, possibly demonstrating some BGP hijacking activity taking place: "Prefix 24.152.117.0/24, is normally announced by AS270497 RUTE MARIA DA CUNHA, BR." "But beginning at 2021-04-16 15:07:01, the same prefix (24.152.117.0/24) was also announced by ASN 55410," stated BGPMon's announcement. 

Doug Madory, director of Internet analysis at Kentik further affirmed these discoveries expressing that the autonomous system ASN 55410 was seeing a 13 times spike in inbound traffic directed to it. The said autonomous system (AS55410) belongs to Vodafone India Limited.

“We have done a complete analysis of the reported matter and have not observed any issue in routing security at our end. A wrong advertising of the routing table publishing made by one of our Enterprise customers had led to this incident. This was responded to immediately and rectified,” a Vodafone Idea Ltd spokesperson said.

"This incident only affected traffic for about 10 minutes, but during that time there were likely countless internet connection problems for users around the world." "Anyone trying to reach web resources configured with the IP addresses in the routes that were leaked would have had their traffic misdirected to AS55410 in India and then dropped," Doug Madory from Kentik told BleepingComputer in an email interview.

Snort Vulnerability Leads Various Cisco Products Exposed to Vulnerabilities

 


Earlier this week, the company told its customers that several Cisco products have been exposed to DoS (Denial of Service) attacks due to Snort detection engine vulnerability. Known as CVE-2021-1285, the flaw is rated high severity, and hackers can exploit it. The attacker must be on the layer 2 domain similar to the victim, as to compel a device to fall to a DoS attack via sending it specifically made Ethernet frames. As per Cisco, the flaw exists in the Ethernet Frame Decoder part of the Snort. 

The vulnerability affects all variants of the famous intrusion detection and intrusion prevention system (IDS/IPS) made before 2.9.17, which has a bug patch. According to Security Week, "Snort is an open-source tool developed by Cisco that provides real-time traffic analysis and packet logging capabilities. It has been downloaded millions of times and it has more than 600,000 registered users, with Cisco claiming that it’s the most widely deployed IPS in the world. The alpha version of Snort 3 was announced in December 2014 and now it has finally become generally available."

Catalyst Edge software and platform, 1000v series Cloud Services Router products, and Integrated Service Router (ISR) are said to be affected by the CVE-2021-1285. But they'll be affected only if they are using a version of Cisco UTD Snort IPS engine software that is vulnerable for IOS XE or Cisco UTD Engine for IOS XE SD-WAN, and if these are configured to pass through the Ethernet frames to Snort. According to Cisco, the flaw is linked to FTD (Firepower Threat Defense) issue that was patched in October last year. 

The vulnerabilities were found during solving a support case, however, no evidence has been found to point that these vulnerabilities were exploited in any attacks. Besides this, on Wednesday Cisco issued an advisory on few other vulnerabilities, of medium severe ratings. "These impact Webex, SD-WAN, ASR, Network Services Orchestrator, IP phones, and Email Security Appliance products, and they can lead to information disclosure, path traversal, authorization bypass, DoS attacks, privilege escalation, and SQL injection," says SecurityWeek.

Cisco Shows no Intentions on Patching EOL Vulnerabilities

 

Cisco, an American Multinational Conglomerate stated this week it does not plan on fixing vulnerabilities in end-of-life (EOL) Cisco routers, more than 70 vulnerabilities were spotted in CISCO’s Small Business RV110W, RV130, RV130W, and routers. Despite these vulnerabilities, the company has no intentions to fix these patches.

Cisco stated that these devices have reached end-of-life (EOL) hence there is no point in fixing the Cisco routers. The deadline regarding software maintenance releases and bug fixes was December 1, 2020. Cisco has released software updates to fix these vulnerabilities and said they are not mindful of threat actor exploits targeting the vulnerabilities.

CVE-2021-1144 recognized as a high severity bug (CVSS score of 8.8) in Connected Mobile Experiences (CMX) is the most valuable flaw which can be exploited by threat actors to alter the passwords for any user account on the system which includes administrator accounts as well. Threat actors can exploit the vulnerability by sending an altered HTTP request to a susceptible device.

CVE-2021-1237 (CVSS score of 7.8) is tracked as another high severity flow, it was detected in the AnyConnect Secure Mobility Client for Windows, influencing the Web Security Agent Components and the endpoint solution’s Network Access Manager. This vulnerability could be exploited by an authenticated and local threat actor for Dynamic Link Library (DLL) installation.

Cisco stated that “an attacker could exploit this vulnerability by inserting a configuration file in a specific path in the system which, in turn, causes a malicious DLL file to be loaded when the application starts. A successful exploit could allow the attacker to execute arbitrary code on the affected machine with SYSTEM privileges”.

Cisco issued 18 other recommendations explaining medium severity bugs in Proximity Desktop for Windows, ASR 5000 routers, Enterprise NFV Infrastructure Software (NFVIS), Webex, Finesse, Firepower Management Center (FMC), Video Surveillance 8000 IP Cameras, Unified Communications products, DNA Center, AnyConnect Secure Mobility Client, and CMX API authorizations.

Cisco's Routers. Switches and IP Equipment Suffer Zero-Day Attacks! Major Vulnerabilities Discovered!


The extremely well-known Cisco’s products, including IP Phones, Routers, cameras, and switches, were determined to have several severe “zero-day” vulnerabilities by researchers in the “Cisco Discovery Protocol (CDP)”, per sources.

CDP is a proprietary “Layer 2” network protocol that is put into effect in all the Cisco devices to be privy to the mechanisms of the devices.

Reports mention that a total of five vulnerabilities were ascertained out of which, four were “Remote Code Execution” (RCE) that let hackers or any other cyber-con to manipulate every single operation of the devices without any sort of consent of the user.

According to sources, one of the vulnerabilities led to a “Denial of Service” in the Cisco FXOS, NX-OS and IOS XR software that ended up damaging the victims’ networks

By exploiting the vulnerabilities effectively, numerous organizations’ and companies’ networks were smashed, costing all the affected parties heavily.

Per legitimate sources, following is the list of all the vulnerable devices in the represented categories:

Switches
• Nexus 1000 Virtual Edge
• Nexus 1000V Switch
• Nexus 3000 Series Switches
• Network Convergence System (NCS) 1000 Series
• Network Convergence System (NCS) 5000 Series
• Network Convergence System (NCS) 540 Routers
• Network Convergence System (NCS) 5500 Series
• Network Convergence System (NCS) 560 Routers
• MDS 9000 Series Multilayer Switches
• Nexus 5500 Series Switches
• Nexus 5600 Series Switches
• Nexus 6000 Series Switches
• Nexus 7000 Series Switches
• Nexus 9000 Series Fabric Switches
• Network Convergence System (NCS) 6000 Series
• UCS 6200 Series Fabric Interconnects
• UCS 6300 Series Fabric Interconnects
• UCS 6400 Series Fabric Interconnects

IP Phones
• Unified IP Conference Phone 8831
• Wireless IP Phone 8821-EX
• Wireless IP Phone 8821
• IP Conference Phone 7832
• IP Conference Phone 8832
• IP Phone 6800 Series
• IP Phone 7800 Series
• IP Phone 8800 Series
• IP Phone 8851 Series

IP Cameras
• Video Surveillance 8000 Series IP Cameras

Routers
• IOS XRv 9000 Router
• Carrier Routing System (CRS)
• ASR 9000 Series Aggregation Services Routers
• Firepower 1000 Series
• Firepower 2100 Series
• Firepower 4100 Series
• Firepower 9300 Security Appliances
• White box routers running Cisco IOS XR

The exploitation of the other four Remote Execution vulnerabilities could be in a way that a “maliciously” fabricated “CDP Packet” could be sent on the targeted Cisco devices and have their mechanisms altered.

There’s a vulnerability that could be hunted down or traced by (CVE-2020-3119). It helps the attackers to completely override the default switch and network infrastructure settings.

One of the vulnerabilities which could be traced as (CVE-2020- 3118), could help attackers gain control of the target’s router via remote code execution and use it in any harmful way they find acceptable.

Cisco’s 800 series IP cameras were vulnerable to attackers’ remote code execution. The vulnerability could be located as (CVE-2020-3110)

According to sources, in the other Cisco “Voice over IP Phone” vulnerability, an overflow in the parsing function could be exploited to access “code execution”. This vulnerability could be traced to (CVE-2020-311).

The troubles this vulnerability could cause an organization are manifold.
Acquiring access to other devices via “man-in-the-middle” attacks.
Damaging the network’s structure
“Data Exfiltration”, ranging from network traffic to sensitive information and personal phone calls, by the help of manipulated routers and switches.

Per reports, Cisco has come up with patches and the users are directed to employ them without any further delay.
[CVE-2020-3111
CVE-2020-3118
CVE-2020-3120
CVE-2020-3110
CVE-2020-3119]


Vulnerability found in Cisco Webex Meeting Suit- Lets unauthorized attackers join private meetings


Cisco Webex Meetings Suite, a platform that offers its customers to organize online meetings and seminars anytime anywhere, has revealed a security vulnerability that allows an unauthorized attacker to enter a password-protected meeting without the password.


The Vulnerability -
The vulnerability allows the attacker to join a meeting if they have the meeting ID or meeting URL from the mobile device browser. Then the browser will launch the meeting on Webex mobile application, and then the unauthenticated user can join the password-protected meeting without the said browser. “The unauthorized attendee will be visible in the attendee list of the meeting as a mobile attendee,” reads the Cisco blog post.

This makes it quite easy to track the unauthorized individual as they will be visible as a mobile attendee. This Cisco Webex vulnerability has received a score of 7.2 out of 10 (can be tracked as CVE-2020-3142). Cisco Product Security Incident Response Team (PSIRT) said that they have not yet faced an attacker exploiting the vulnerability. Versions with the vulnerability - The vulnerability is seen in Cisco Webex Meetings Suite sites and Cisco Webex Meetings Online versions earlier than 39.11.5 and 40.1.3. Though Cisco says that the Webex meeting server is unaffected with the vulnerability.

After discovering the vulnerability, Cisco has now released a new version fixing the vulnerability in versions 39.11.5 and later 40.1.3 for Cisco Webex Meetings Suite sites and Cisco Webex Meetings Online sites. “The fix applies to Cisco Webex Meetings Suite sites and Cisco Webex Meetings sites only. Customers are not required to update the Cisco Webex Meetings mobile application or the Cisco Webex Meetings desktop application.”

Cisco recently fixed 11 more bugs in Cisco Data Center Network Manager when the faults let hackers RCE, SQL Injection, and Authentication Bypass Attacks. Cisco is expected to fix the bug soon. The users are advised to stay careful of any suspicious activity and report to the company immediately if they found any malicious activity on the platform.

Cisco faces criticism after a hacker finds 120+ bugs in its product



A triad of severe vulnerabilities in Cisco DCNM (Data Center Network Manager) stock allows hackers to remotely sidestep the verification and invade into companies’ servers, the reason being a few safety failures that include hard-coded creds.

The 3 vulnerabilities were in the huge 120 vulnerabilities list in the stock discovered by the hacker Steven Seeley, who currently works for Source Incite. It was Steven who informed the company about the issue through a glitch hunt program called Zero Day Initiative, by Trend Micro. 

In an interview with Computer Business Review, he Australian cybersecurity specialist/hacker said that "the group of 3 vulnerabilities are the most dangerous among the 120 vulnerabilities, and if the hackers get a hand of it, they can exploit it using execution as root through remote code. It is as simple as that."

Simon further says that by exploiting these vulnerabilities, the hacker could easily gain access to almost anything like personal information, credentials, and passwords.
"I was rejected by the company Cisco after 8 interviews," said Simon on Twitter.

In response to the situation, Cisco has urged its users to update their systems and software, as to stay safe from the bugs. Earlier this week the company said, "we have repaired the vulnerabilities in and users are requested to immediately update the software."

Unfortunately, the readers of Computer Business Review are well aware that not all the products were built to be the same when it comes to patch management, the issue being that most of the critical bugs are neglected by the company.

In a conversation with Computer Business Review, Simon said that he will release the source codes this coming week. He mentioned that the vulnerabilities were very minor to exploit, but it did consume mind-boggling research to find the bugs in the starting phase. "The research consumed a whole month along with reviewing the code origin and debugging the run-time."

Cisco says the trio of the vulnerabilities is not dependent on each other. A single vulnerability itself is capable of the exploit, let alone the trio. Cisco has released the latest security patch on its website. The users who have still not updated it can install it from the 'download center' on the website.

Cisco devices has critical vulnerabilities





Security researchers have found many serious vulnerabilities inside dozens of Cisco devices.

A cybersecurity company Red Baron claims that the Cisco 1001-X comes with two major flaws. One is a software flaw inside Cisco’s router’s operating system, which would allow hackers root access. The second flaw is much more dangerous as it allows potential malicious actors to bypass the router’s security feature, Trust Anchor. 

The second flaw “means we can make arbitrary changes to a Cisco router, and the Trust Anchor will still report that the device is trustworthy. Which is scary and bad, because this is in every important Cisco product. Everything,” Ang Cui, the founder, and CEO of Red Balloon explained.

In the meantime, the firm released a fix for the first flaw, but are still working on the second one. “The Trust Anchor module is not directly involved in the work demonstrated by Red Balloon,” a spokesperson told Wired.

It is believed that the vulnerability could become serious if not handled carefully and on time. 


Cisco announces its intent to acquire OpenDNS

 
Cisco announced on June 30 its intent to acquire OpenDNS, a security company which provides advanced threat protection for any device, anywhere and anytime based in San Francisco.

It is said that the acquisition will boost Cisco's Security everywhere approach by adding broad visibility and threat intelligence from the OpenDNS cloud delivered platform.

According to the press statement issued by the organization, the OpenDNS team will join the Cisco Security Business Group. As per the agreement, Cisco will pay $635 million in cash and assumed equity awards, plus retention based incentives for OpenDNS. The acquisition is expected to close in the first quarter of fiscal year 2016, subject to customary closing conditions.

The press statement said that the burgeoning digital economy and the Internet of Everything (IoE) are expected to spur the connection of nearly 50 billion devices by 2020, creating a vast new wave of opportunities for security breaches across networks. The faster customers can deploy a solution, the faster they can detect, block and remediate these emerging security threats.

“OpenDNS' cloud platform offers security delivered in a Software-as-a- Service (SaaS) model, making it quick and easy for customers to deploy and integrate as part of their defense architecture or incident response strategies. By providing comprehensive threat awareness and pervasive visibility, the combination of Cisco and OpenDNS will enhance advanced threat protection across the full attack continuum before, during and after an attack,” the statement read.

The statement added that OpenDNS' broad visibility, unique predictive threat intelligence and cloud platform with Cisco's robust security and threat capabilities will increase awareness across the extended network, both on- and off-premise, reduce the time to detect and respond to threats, and mitigate risk of a security breach.

Hilton Romanski, Cisco chief technology and strategy officer, said that many people, processes, data and things connected because of which opportunities for security breaches and malicious threats grow exponentially when away from secure enterprise networks.

“OpenDNS has a strong team with deep security expertise and key technology that complements Cisco's security vision. Together, we will help customers protect their extended network wherever the user is and regardless of the device,” Romanski added.