Security News

Cisco has released security updates to address pre-auth remote code execution vulnerabilities affecting multiple SD-WAN products and the Cisco Smart Software Manager software. Unauthenticated attackers can remotely exploit buffer overflow and command injection bugs to execute arbitrary code or to run arbitrary commands on the underlying operating system of devices running vulnerable releases of SD-WAN and Cisco Smart Software Manager Satellite software.

Cisco this week announced that it does not plan on addressing tens of vulnerabilities affecting some of its small business routers. "Cisco has not released and will not release software updates to address the vulnerabilities described []. The Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers have entered the end-of-life process. Customers are advised to refer to the end-of-life notices for these products," the company underlines.

Cisco fixed high-severity flaws tied to 67 CVEs overall, including ones found inits AnyConnect Secure Mobility Client and in its RV110W, RV130, RV130W, and RV215W small business routers. A high-severity flaw in Cisco's smart Wi-Fi solution for retailers could allow a remote attacker to alter the password of any account user on affected systems.

Cisco announced the appointment of John D. Harris II to its board of directors. "We are very pleased to welcome John to the Cisco Board," said Chuck Robbins, chairman and CEO, Cisco.

VMware and Cisco have shared information on the impact of the SolarWinds incident, and VMware has responded to reports that one of its products was exploited in the attack. The NSA advisory on the exploitation of the VMware vulnerability also mentions SAML abuse and security blogger Brian Krebs reported learning from sources that the SolarWinds attackers also exploited the VMware flaw.

A man has been sentenced to two years in jail after being convicted of hacking Cisco's Webex collaboration platform in an insider-threat case brought to the U.S. District Court in California. As a result, 16,000 WebEx Teams accounts were shut down for up to two weeks; and, the incident cost Cisco about $1.4 million in remediation costs, including refunding $1 million to affected customers, according to a court announcement.

An Indian national who moved to California on an H1-B work visa was sentenced to 24 months in prison last week for accessing and damaging Cisco's network. Ramesh is a former Cisco employee, who resigned in April 2018.

In September 2020, Cisco patched four Jabber vulnerabilities, but as it turns out, three of four have not been sufficiently mitigated. The incompleteness of the patches was discovered by Watchcom researchers - who discovered and disclosed the batch of vulnerabilities made public in September - after one of their clients requested they verify the effectiveness of Cisco's patches.

A former Cisco employee who went medieval on his former employer and cost the company millions, has been sentenced to two years in prison and a $15,000 fine. Five months later he used access credentials to get back into Cisco's systems and deleted virtual machines on Webex - borking more than 16,000 WebEx Teams accounts for two weeks in some cases and costing Cisco $2.4m in refunds and repair work.

Three months after addressing a critical flaw in Jabber for Windows, Cisco released patches for a similar vulnerability in the video conferencing and instant messaging client. The bug, which exists because the content of messages is not properly validated, affects both Jabber for Windows and Jabber for macOS. "An attacker could exploit this vulnerability by sending specially crafted XMPP messages to the affected software. A successful exploit could allow the attacker to cause the application to execute arbitrary programs on the targeted system with the privileges of the user account that is running the Cisco Jabber client software, possibly resulting in arbitrary code execution," Cisco explains.