Cisco confirms new IOS flaw
Cisco Systems Inc. said there's no fix yet for a new security hole in its Internetwork Operating System (IOS) HTTP Server. But the company said in an advisory that it is working on
The San Jose, Calif.-based networking giant said its advisory "applies to all Cisco products that run Cisco IOS software versions 11.0 through 12.4 with the HTTP server enabled."
An advisory from iDefense Security Intelligence Services, a division of Mountain View, Calif.-based VeriSign Inc., described the problem as an input validation flaw attackers could exploit to run malicious scripting code.
"The vulnerability specifically exists due to insufficient filtering of user-supplied data, which is displayed in the Cisco HTTP status pages," iDefense said. "One of the status pages included in the IOS 11 HTML package displays information about current CDP protocol statistics. The Cisco Discovery Protocol (CDP) is a proprietary, medium-independent protocol that runs over Layer 2 (the data link layer) on the Content Services Switches (CSS) and other Cisco manufactured equipment, such as routers, switches, bridges and access servers."
As workarounds, Cisco recommended users disable CDP functionality if it is not required, or disable the Web administration interface.
Security hole plagues Check Point VPN software
Symantec Corp. is reporting a security hole in VPN software from Redwood City, Calif.-based Check Point Software Technologies Ltd. The Cupertino, Calif.-based AV firm e-mailed an advisory to customers of its DeepSight Threat Management System Tuesday, saying that the Check Point VPN-1 SecureClient application may not use properly-quoted paths to call applications. Attackers could exploit this flaw to launch malicious code, Symantec said.
"A malicious file may be executed instead of an intended file," Symantec said. "This may facilitate privilege escalation." Describing the problem in more detail, Symantec said, "The 'SR_Watchdog.exe' process attempts to spawn the 'SR_GUI.exe' process during startup without using properly quoted paths. Due to the lack of quoting, 'C:Program.exe', and other locations will be tried during the search for the intended executable. If one of the files exists, it will be executed with elevated privileges inherited from 'SR_Watchdog.exe.'"
Symantec said specific information about affected versions of Check Point VPN-1 SecureClient is unavailable at this time.