The Channel logo

News

By | Shaun Nichols 21st September 2016 22:22

Cisco snaps shut remote pwnage hole in Cloud Services Platform

Flaw allowed hijacking via HTTP snippets

Cisco has provided a patch to address a remote hijacking vulnerability in its Cloud Services Platform (CSP).

Switchzilla said that all customers who run CSP 2100 software should install the 2.1.0 update to close a remote code execution flaw it considers to be a high security risk.

Designed as an efficient way to manage virtualized network services and components, CSP is installed as a Linux x86 virtual machine built into a Cisco network appliance. The system includes a web-based GUI for device management.

Cisco says that the flaw (CVE-2016-6374) allows an attacker to send malformed HTTP requests to achieve remote code execution.

Specifically, Cisco warns, the attacker will be able to shoot the targeted system a poisoned DNS-lookup request through the CSP web interface. That attacker could then execute commands on the server without the need for further authentication.

Cisco noted that, aside from installing the update, there are no known mitigations for the vulnerability. No other Cisco appliances or hardware are believed to be subject to the flaw, and Cisco says it is not aware of any attempts to exploit the vulnerability in the wild.

The patch comes just three days after Cisco issued a fix for another high-severity flaw in its IOS platform.

That flaw, spotted during the "Shadow Brokers" review, allowed for a cock-up in the handling of IKE requests to open up memory contents to a remote attacker, potentially allowing for information disclosure. ®

comment icon Read 2 comments on this article or post a comment alert Send corrections

Opinion

Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella
Stranded_ships

Chris Mellor

Thousands of layoffs announced as spinning rust enters its death spiral

Features

STRASBOURG, JUNE 29, 2016: The seat of the European Parliament. by Marco Aprile for shutterstock. EDITORIAL USE ONLY
Plan b, image via Shutterstock
EU workers, new markets: post-Brexit pressure on May & Co
Tough question, pic via Shutterstock
Honest mistake with your licensing? Audit police look at it on a 'case by case basis'