Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Security IT

Cisco Patches Authentication, Denial-of-Service, NTP Flaws In Many Products (csoonline.com) 33

itwbennett writes: Cisco Systems has released a new batch of security patches for flaws affecting a wide range of products, including for a critical vulnerability in its RV220W wireless network security firewalls. The RV220W vulnerability stems from insufficient input validation of HTTP requests sent to the firewall's Web-based management interface. This could allow remote unauthenticated attackers to send HTTP requests with SQL code in their headers that would bypass the authentication on the targeted devices and give attackers administrative privileges.
This discussion has been archived. No new comments can be posted.

Cisco Patches Authentication, Denial-of-Service, NTP Flaws In Many Products

Comments Filter:
  • by ls671 ( 1122017 ) on Tuesday February 02, 2016 @02:20AM (#51419563) Homepage

    HTTP requests with SQL code: about using prepared statements and parameterized queries?

  • by WaffleMonster ( 969671 ) on Tuesday February 02, 2016 @02:32AM (#51419603)

    The only cause of SQLi is gross incompetence. It can never be caused by an accident or failure to do something.

    It can only caused by willful and deliberate action to do something you know or should know to be wrong, stupid and dangerous at the time you did it. Unbound query strings don't build themselves.

    • by Anonymous Coward

      > The only cause of SQLi is gross incompetence.

      How true.

      What perhaps horrifies me more is that the phantasy in our profession can't come up with a decent GUI other than with this browser + web server + sql data base monstrosity; most probably a PHP abomination and a MySQL database (not that a node or django -- and a couch or mongo would make that better) *plus* a big fat chunk of javascript with an embedded, mutilated mutant of jquery or similar.

      I'm deeply ashamed of the trade I'm in.

    • by Anonymous Coward

      Another 'Big Name' exposed as lacking quality , too little, too late.
      Apple is a 'premium' company, while the 'premium' on this brands reputation has been outed.
      May as well by cheap Chinese crap because it does the same thing, and probably no worse.
      Throw in a few back doors, compromised keys - no corporate automatic sales for you.

      Cisco and Blackberry - what will they have in common going forward?

  • by DNS-and-BIND ( 461968 ) on Tuesday February 02, 2016 @02:39AM (#51419625) Homepage

    Why are you the only one posting stories recently? The other two crappy editors who posted dupes haven't been heard from in a while.

    Hey timothy, I dare you, post another link to forbes.com.

  • by jones_supa ( 887896 ) on Tuesday February 02, 2016 @03:17AM (#51419731)
    A great part of the Internet is woven together by those turquoise boxes. They form a vulnerable part of the infrastructure. I find it strange that open source tinfoil hatters have not criticized more the fact that all of that gear runs proprietary code. All of the boxes could have a backdoor that allows a government surveillance organization to connect and change settings or to wiretap passing traffic. Why do not these discussions usually come up?
  • If Cisco can't get it right then what hope does the rest of us have. But then again using a html protocol to remotely control a security device isn't the best of ideas.
  • Was never supposed to be an "enterprise" piece of equipment anyway. It's part of their Small Business line, which used to be called Linksys. Thus why it has an HTML-based gui, craptastic security, etc. If you want decent hardware with the Cisco name, prepare to spend around $1,000 for an ASA 5500 series, and then another $500+ for an Aironet to get the wireless. You get what you pay for, and Cisco has never been cheap. If the product is cheap, then expect issues like there. I finally gave up on my RW180
    • If you want decent hardware with the Cisco name, prepare to spend around $1,000 for an ASA 5500 series, and then another $500+ for an Aironet to get the wireless.

      And then you can still expect amateur hour security mistakes, and intentional back doors, because we're talking about Cisco, and that's how they roll. There have been multiple serious holes in IOS.

      • Indeed! In fact, we used a documented exploit to reboot a bad 6000 series switch at work. White-hat hacking at it's finest LOL
  • by Rob MacDonald ( 3394145 ) on Tuesday February 02, 2016 @06:42AM (#51420233)
    If anyone else ends up clicking the "security updates" link in the summary and starts to wonder why they are only talking about the RV220W, it's because the submitted reversed the links, you need to click the Cisco RV220W link to get the article with ALL the products.
  • This stuff is the crap leftover from the Linksys acquisition. I would be willing to bet none of their SMB products share much code with their big business stuff (ASA, Catalyst, and their real routers based on IOS).

    If you've ever called tech support for their "pro" stuff - you get some pretty awesome people usually based in the US. Last time I called their SMB support teams I got a guy in Bulgaria (in his defense he did quickly recognize that my defective hardware needed to be replaced).

    This type of flaw i

Research is what I'm doing when I don't know what I'm doing. -- Wernher von Braun

Working...