Cisco Patches Authentication, Denial-of-Service, NTP Flaws In Many Products

itwbennett writes: Cisco Systems has released a new batch of security patches for flaws affecting a wide range of products, including for a critical vulnerability in its RV220W wireless network security firewalls. The RV220W vulnerability stems from insufficient input validation of HTTP requests sent to the firewall's Web-based management interface. This could allow remote unauthenticated attackers to send HTTP requests with SQL code in their headers that would bypass the authentication on the targeted devices and give attackers administrative privileges.

HTTP requests with SQL code

[ls671]

HTTP requests with SQL code: about using prepared statements and parameterized queries?

Input validation does not cause SQLi

[WaffleMonster]

The only cause of SQLi is gross incompetence. It can never be caused by an accident or failure to do something.

It can only caused by willful and deliberate action to do something you know or should know to be wrong, stupid and dangerous at the time you did it. Unbound query strings don't build themselves.

Re:

[Anonymous Coward]

> The only cause of SQLi is gross incompetence.

How true.

What perhaps horrifies me more is that the phantasy in our profession can't come up with a decent GUI other than with this browser + web server + sql data base monstrosity; most probably a PHP abomination and a MySQL database (not that a node or django -- and a couch or mongo would make that better) *plus* a big fat chunk of javascript with an embedded, mutilated mutant of jquery or similar.

I'm deeply ashamed of the trade I'm in.

Re:

[Anonymous Coward]

Another 'Big Name' exposed as lacking quality , too little, too late.
Apple is a 'premium' company, while the 'premium' on this brands reputation has been outed.
May as well by cheap Chinese crap because it does the same thing, and probably no worse.
Throw in a few back doors, compromised keys - no corporate automatic sales for you.

Cisco and Blackberry - what will they have in common going forward?

Hey timothy

[DNS-and-BIND]

Why are you the only one posting stories recently? The other two crappy editors who posted dupes haven't been heard from in a while.

Hey timothy, I dare you, post another link to forbes.com.

Re: Hey timothy

[Anonymous Coward]

No they won't.

Re:

[93 Escort Wagon]

Come on. Show some compassion. People losing their jobs is not something to be so cavalier about, regardless of your opinions of them.

They're still human beings with bills to pay and likely families to support.

Re:

[drinkypoo]

Come on. Show some compassion. People losing their jobs is not something to be so cavalier about, regardless of your opinions of them.

Yes, yes it is, because they were shit at their fucking jobs. In a world in which there are so many people homeless, jobless, hopeless, it's fucking pathetic to see people phone in their job like they can't be arsed to give one tenth of one fuck. That's especially true in tech, where more and more workers are losing their jobs even when they do them.

If they were good at their jobs, or even made more than a token effort, then we would miss them. They were shit, and they shit up Slashdot, and if you miss them

I still wonder

[jones_supa]

A great part of the Internet is woven together by those turquoise boxes. They form a vulnerable part of the infrastructure. I find it strange that open source tinfoil hatters have not criticized more the fact that all of that gear runs proprietary code. All of the boxes could have a backdoor that allows a government surveillance organization to connect and change settings or to wiretap passing traffic. Why do not these discussions usually come up?

Re:

[jones_supa]

That's what I want to say to the people taking about UEFI backdoors.

Re:

[account_deleted]

Comment removed based on user account deletion

Cisco patches RV220W firewall ..

[tetraverse]

If Cisco can't get it right then what hope does the rest of us have. But then again using a html protocol to remotely control a security device isn't the best of ideas.

Re:

[AchilleTalon]

HTML isn't a protocol. HTTP and HTTPS are.

RV220W...

[l0n3s0m3phr34k]

Was never supposed to be an "enterprise" piece of equipment anyway. It's part of their Small Business line, which used to be called Linksys. Thus why it has an HTML-based gui, craptastic security, etc. If you want decent hardware with the Cisco name, prepare to spend around $1,000 for an ASA 5500 series, and then another $500+ for an Aironet to get the wireless. You get what you pay for, and Cisco has never been cheap. If the product is cheap, then expect issues like there. I finally gave up on my RW180

Re:

[drinkypoo]

If you want decent hardware with the Cisco name, prepare to spend around $1,000 for an ASA 5500 series, and then another $500+ for an Aironet to get the wireless.

And then you can still expect amateur hour security mistakes, and intentional back doors, because we're talking about Cisco, and that's how they roll. There have been multiple serious holes in IOS.

Re:

[l0n3s0m3phr34k]

Indeed! In fact, we used a documented exploit to reboot a bad 6000 series switch at work. White-hat hacking at it's finest LOL

Links are reversed

[Rob MacDonald]

If anyone else ends up clicking the "security updates" link in the summary and starts to wonder why they are only talking about the RV220W, it's because the submitted reversed the links, you need to click the Cisco RV220W link to get the article with ALL the products.

Re:

[account_deleted]

Comment removed based on user account deletion