Network Security, Patch/Configuration Management, Vulnerability Management

Cisco remedies critical unauthorized access bug in Cloud Services Platform

Cisco Systems on Wednesday issued a security update to repair a critical unauthorized access bug in its Cloud Services Platform (CSP) 2100.

According to a Cisco advisory, the CSP2100 flaw can be exploited by authenticated, remote attackers to interact with virtual machines operating on an affected device, causing "a complete loss of the system's confidentiality, integrity, and availability." Officially designated CVE-2017-12251, the bug was assigned a Common Vulnerability Scoring System (CVSS) base score of 9.9.

Cisco reports that the vulnerability is "due to weaknesses in the generation of certain authentication mechanisms in the URL of the web console," which allow malicious actors to browse to a hosted VM's URL and observe "specific patterns that control the web application's mechanisms for authentication control." The flaw, which has no workarounds, is is fixed with CSP 2100 release 2.2.3.

Additionally, Cisco published 15 other new security advisories on Oct. 18, including three addressing high-severity vulnerabilities. In these advisories, the company announced more fixes for a denial of service bug in the authentication, authorization, and accounting (AAA) implementation of its Firepower Extensible Operating System (FXOS) and NX-OS System Software, and a denial of service bug in various IP phone  models.

Days earlier, the company published an advisory listing products affected by the high-profile set of KRACK vulnerabilities recently found in Wi-Fi devices. As of an Oct. 18 update, Cisco has announced that 69 of its products have been confirmed affected, with more under investigation. The company has also begun distributing its first fixed releases for wireless technology impacted by KRACK, with more to come in the following days.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.