SECURITY
SECURITY
SECURITY
Cisco bungles security updates for routers used by ISPs and enterprises
In a strange turn of events for an otherwise standup company, Cisco Systems Inc. has bungled security updates for a number of its routers.
Security flaws that affect Cisco RV320 and RV325 WAN VPN routers used by internet security providers and enterprises users were allegedly addressed in a previous update but failed to work. The vulnerabilities in question, one that allows a hacker to run administrative commands on the Cisco devices without a password and another that allows a hacker to get sensitive device configuration details without a password, were first detected in January.
Detailed Wednesday by researchers at cybersecurity firm RedTeam Pentesting GmbH, the flaws are said to be actively exploited by hackers.
To its credit, Cisco owned up to the bungle, saying in a security advisory that “the initial fix for this vulnerability was found to be incomplete.” The bad news is that currently a patch for the vulnerabilities is not available, though Cisco said it’s working on a fix.
Lane Thames, senior security researcher at Tripwire Inc. told SiliconANGLE that there are a couple interesting failures related to the botched fix.
“First, this shows that even the largest of software and hardware vendors don’t have basic secure development practices in place,” Thames said. “The engineering behind this fix was quite immature with respect to security and indicates that even the engineers involved with fixing security bugs sometimes don’t understand how to fix vulnerabilities.”
In particular, he explained, “the command injection vulnerability, in this case, was very basic (trivial to prevent, trivial to fix) and is due to improper input sanitization. Cisco tried to fix the issue by blacklisting a particular ‘User Agent,’ when the real fix should have been implementing an input sanitizer that filters the input for special command line characters.”
Thames said many libraries implement that filtering. “Using appropriate libraries that help us prevent security issues in code is key nowadays,” he said. “There have been many patches released over the years to fix vulnerabilities that were blotched due to developers implementing home-grown fixes to a problem instead of using a good library.”
The second involves failing to do good testing, he added. “Particularly, the vendor should have worked closer with the penetration testers who found the original vulnerabilities,” he said. “These testers could have analyzed the patched firmware for Cisco to confirm a good fix before releasing the patch to the public.”
Photo: Cisco
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
