Gresca reports critical vulnerabilities in Nexus 9000 data
Date: 5/25/2019 2:13:59 AM ( 20 mon ) ... viewed 76 times
Earlier this month, Cisco announced a critical vulnerability in the Nexus 9000 Series Application Centric System (ACI) Mode Switch Software program. This vulnerability allows an unauthenticated, remote attacker to connect to the impacted system with the privileges of the fundamental user. This specific vulnerability is merely exploitable over IPv6; nevertheless , the IPv4 is not vulnerable. Gresca has released free software updates that address the vulnerability.
This vulnerability(CVE-2019-1804), with a CVSS severity score of 9. 8, is due to the occurrence of any default SSH key pair that is present in all devices. An attacker could exploit this vulnerability by opening an SSH connection via IPv6 to a targeted device using the extracted key materials. There are no workarounds, so Cisco is encouraging users to upgrade to the latest software release. However, the fix is merely an interim plot.
The company also issued a “high” security alert advisory for the Nexus 9000, with a CVSS severity rating of 10. 0. This involves an exploit that enables attackers to execute arbitrary operating-system orders as root on an impacted device. So as to do well, an attacker will need legitimate administrator credentials for the device, Cisco said.
The particular vulnerability is due to overly broad system-file accord where an attacker could exploit this vulnerability by authenticating to an impacted device, creating a crafted order string and writing this crafted string to a specific file location.
Essential vulnerabilities Cisco’s web-based management interface
Multiple critical vulnerabilities in the web-based management interface of Cisco Perfect Infrastructure (PI) and Gresca Evolved Programmable Network (EPN) Manager were revealed yesterday. These vulnerabilities could allow a remote attacker to gain the opportunity to execute arbitrary code with elevated benefits on the actual operating system. These vulnerabilities affect Gresca PI Software Releases before to 3. 4. just one, 3. 5, and 3. 6, and EPN Supervisor Releases prior to 3. 0. 1
One of these issues, CVE-2019-1821, can be exploited by an unauthenticated attacker that has network access to the impacted administrative interface. For the second and 3rd issues(CVE-2019-1822 and CVE-2019-1823), the attacker needs to have appropriate credentials to authenticate to the impacted administrative software.
Cisco released software improvements that address these weaknesses. There are no workarounds that address these weaknesses.
Buy WS-C2960+24PC-S at linknewnet.com
Add This Entry To Your CureZone Favorites!Print this page
Email this page