Security News
Cisco this week released patches for over a dozen vulnerabilities affecting multiple products, including three critical bugs impacting its ACI Multi-Site Orchestrator, Application Services Engine, and NX-OS software. Also featuring a CVSS score of 9.8, the third critical flaw that Cisco patched this week affects Nexus 3000 and Nexus 9000 series switches.
A critical vulnerability in Cisco Systems' intersite policy manager software could allow a remote attacker to bypass authentication. The flaw stems from improper token validation on an API endpoint in Cisco's ACI MSO. "A successful exploit could allow the attacker to receive a token with administrator-level privileges that could be used to authenticate to the API on affected MSO and managed Cisco Application Policy Infrastructure Controller devices," said Cisco on Wednesday.
Cisco has addressed a maximum severity authentication bypass vulnerability found in the API endpoint of the Cisco ACI Multi-Site Orchestrator installed on the Application Services Engine. "A vulnerability in an API endpoint of Cisco ACI Multi-Site Orchestrator installed on the Application Services Engine could allow an unauthenticated, remote attacker to bypass authentication on an affected device," Cisco explained.
Software development platform GitHub announced on Wednesday that it has hired Mike Hanley as its new Chief Security Officer. Hanley joins GitHub from Cisco, where he served as Chief Information Security Officer.
Verizon announced the expansion of its long-standing strategic partnership with Cisco, with the addition of three new SD-WAN managed services offerings. "These new services reflect the significant ongoing joint Cisco and Verizon research and development investments which aim to help customers accelerate change."
Cisco Talos has uncovered a credential-stealing trojan that lifts your login details from the Chrome browser, Microsoft's Outlook and instant messengers. Cisco Talos added: "Masslogger is a credential stealer and keylogger with the ability to exfiltrate data through SMTP, FTP or HTTP protocols. For the first two, no additional server-side components are required, while the exfiltration over HTTP is done through the Masslogger control panel web application."
Japan and Cisco announced a collaboration framework through Cisco's Country Digital Acceleration Program to drive mass-scale digitization across Japan in support of its Society 5.0 vision and towards an inclusive recovery from the global COVID-19 pandemic. The program in Japan was unveiled at virtual event attended by Guy Diedrich, Vice President and Global Innovation Officer at Cisco, and Ichiro Nakagawa, Vice President and Head of Japan at Cisco, Wayoh Suzuki, Chairman, Cisco Japan, with remarks via video from Takuya Hirai, Japan's Minister of State for Digital Transformation, the Minister of State for the Social Security and Tax Number System and Minister in charge of Information Technology Policy.
AppDynamics announced Cisco Secure Application, a solution to drastically simplify vulnerability management, defend against attacks and protect applications - from the inside-out. Co-innovated with the Cisco Security business, the world's largest enterprise security company, this new solution correlates security and application insights through a single solution.
Cisco has addressed a clutch of critical vulnerabilities in its small business and VPN routers that can be exploited by an unauthenticated, remote attacker to execute arbitrary code as the root user. Some of the affected devices are also Wi-Fi routers, so could well be in everyday use.
Cisco has rolled out fixes for multiple critical vulnerabilities in the web-based management interface of Small Business routers that could potentially allow an unauthenticated, remote attacker to execute arbitrary code as the root user on an affected device. The flaws - tracked from CVE-2021-1289 through CVE-2021-1295 - impact RV160, RV160W, RV260, RV260P, and RV260W VPN routers running a firmware release earlier than Release 1.0.01.02.