May 22, 2008 10:48 AM PDT

Cisco patches three critical flaws

Posted by Robert Vamosi

On Wednesday, Cisco Systems issued three patches for critical vulnerabilities affecting Cisco Internetwork Operating System (IOS). The most serious of these affects the Cisco Voice Portal and the Secure Shell server (SSH) implementations.

Cisco says the first patch covers a vulnerability that exists in the Cisco Unified Customer Voice Portal (CVP) , which provides customer voice and video self-service integration. If the vulnerability is exploited, an authenticated user can create, modify, or delete a superuser account. In other words, successful exploitation may result in full control of the system.

The second patch covers the Secure Shell server (SSH) implementation in Cisco IOS, which contains multiple vulnerabilities. Exploitation may allow unauthenticated users to generate a spurious memory access error or, in certain cases, reload the device. Cisco notes that the IOS SSH server is an optional service that is disabled by default, but says its use is recommended as a security best practice for management of Cisco IOS devices.

According to Cisco, the third patch addresses three Secure Shell (SSH) vulnerabilities that exist in the Cisco Service Control Engine (SCE) that may result in system instability or a reload of the SCE. Cisco says the first vulnerability may be triggered during SSH log-in activity with brute force. The second vulnerability may be triggered with normal SSH log-in activity combined with simultaneous other SCE management actions. The third vulnerability may occur during SSH log-in using unique invalid authentication credentials.

Attacks against VoIP systems are becoming popular. At this year's Shmoocon, John Kindervag, senior security architect for Vigilar, said that public waiting areas in hospitals, conference rooms, and hotel rooms are particularly vulnerable to these kinds of attacks.

Bottom line: if you're running Cisco IOS, get the updates today.

Topics:

Security

Tags:

security,

Cisco,

Cisco Unified Customer Voice Portal,

VoIP,

Secure Shell server (SSH)

Bookmark:
Digg
Del.icio.us
Reddit
Recent posts from Defense in Depth
Column: Raising Cain at Black Hat
Black Hat 2008: Notes from the field
Column: Finally, ID fraud protection that works
Column: Will you be ditching your antivirus app anytime soon?
A real simple answer to password protection
Add a Comment (Log in or register) 1 comment
by bernie.mcginn June 2, 2008 10:31 AM PDT
interesting post... thanks!
Reply to this comment
Powered by Jive Software
advertisement

Latest tech news headlines

Resource center from News.com sponsors
Same great protection. Reengineered for speed.
Norton Internet Security™2008

Click Here!
Norton still delivers award-winning protection and now uses 83% less memory and scans 48% faster than the competitor average. Get a FREE trial today!

Click Here!
Norton Beats the Competition

See how Norton Internet Security™2008 uses less memory, while scanning and booting faster than the competitor average.

Norton Protection Blog

Read the latest from our security experts as they help protect people from evolving online threats.

Protect Your Bluetooth Connection

Don't let fraudsters sink their teeth into your Bluetooth connection.

Vishing - What you need to know

Meet the latest ID theft scam: Voice Phishing.

Take Norton for a Test Drive Today!

Act now to get your FREE trial of Norton Internet Security 2008.

About Defense in Depth

Covering computer viruses and computer crime, Robert Vamosi goes beyond the hype to provide you with expert interviews of the top security researchers, as well as offering the hands-on, nontechnical advice you'll need to stay safe online.

Add this feed to your online news reader

Defense in Depth topics

Featured blogs

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right

  • News - Business Tech

    Chrome's JavaScript challenge to Silverlight

    The advent of Google's Chrome browser, software pros say, should spur a big speedup for JavaScript, which would raise its standing against Microsoft's Silverlight technology.

  • Gallery

    Photos: Top 10 reviews of the week

    Here are CNET Reviews' 10 favorite items from the past week, including the TiVo HD XL, Sony Cyber-shot DSC-H50, and the Dish Network's newest digital TV converter box.

  • News - Apple

    Apple watchers spot 'iPod Nano' pix, iTunes hints

    The rumor mill has long been predicting a longer, leaner new version of the iPod Nano, and now it's conjuring up some pictures.

  • Outside the Lines

    EIC Squared: Chrome, iPods, and a Dell-Salesforce union

    On this week's EIC Squared podcast CNET's Dan Farber and ZDNet's Larry Dignan discuss Google's latest rocket launch--the Chrome browser--as well as Apple's iPod event next week and a Dell-Salesforce.com union.

  • Video

    Katie Couric reflects on first Webcast

    The political conventions are over and so are CBS Evening News anchor Katie Couric's first series of Webcasts. CNET's Kara Tsuboi sat down with Couric on the final night of the Republican National Convention to discuss what she liked about Webcasting, some of her most memorable guests, and whether TV news will still be around by the next round of conventions.

  • News - Digital Media

    At 10 years old, whither Google?

    Daniel Sieberg of CBS News looks at how the company grew exponentially from start-up to superstar and part of our culture, but what's ahead?

  • Video

    YouTube plays party politics

    During the presidential campaigning four years ago, YouTube didn't even exist. Now it's a tool candidates must master to get their message across. CNET's Kara Tsuboi stops by the YouTube upload booths at the Democratic and Republican conventions to find out why Google's video site has such a big presence in Denver and St. Paul, Minn.

  • News - Gaming and Culture

    Are Demo and TechCrunch50 fragmenting their audiences?

    With both events scheduled to start Monday, many press, as well as venture capitalists and others are having to choose which one to attend.

  • News - Cutting Edge

    Execs predict next Google-like tech

    On eve of company's 10-year anniversary, researchers and business pundits speculate about what technologies might someday have as much impact as Google.

  • Gallery

    Images: The art of 'Spore' prototypes

    Will Wright and his Maxis team worked on dozens of prototypes to test the elements of their soon-to-be-released evolution game. Here's a sampling.

  • Webware

    Mozilla releases second Firefox 3.1 alpha

    Added features include support for a new video tag element introduced with the HTML 5 standard, along with some speed enhancements.

  • Green Tech

    Duke Energy to invest in mini solar power plants

    Can hundreds of rooftop solar panels collectively operate like a central power plant? Duke Energy launches $100 million distributed solar program to find out.

News
Latest news
Business tech
Green tech
Wireless
Security
Media
Popular topics
Apple iPhone
Apple iPod
Dell
PlayStation 3
Wii
Windows Vista
CNET sites
CNET TV
Downloads
Forums
News
Reviews
Site map
More information
Newsletters
Corrections
Customer Help Center
RSS
What's new
About CNET