Cisco fixes critical flaw in network management platform
The latest security hole is patched just days before the firm’s flagship Cisco Live 2020 conference
Cisco has urged its customers to update their Firepower Management Center (FMC) after patching a critical vulnerability that could have given attackers administrative privileges on affected devices.
Dubbed CVE-2019-16028, the vulnerability has been found in the firm’s platform for managing its network security products, including firewalls or malware protection. It has been given a CVE rating of 9.8, meaning it has been branded as ‘critical’
RELATED RESOURCE
How targeted simulations differ from penetration tests and vulnerability scanning
Stay one step ahead of cyber attackers
“The vulnerability is due to improper handling of Lightweight Directory Access Protocol (LDAP) authentication responses from an external authentication server,” an advisory from the company said.
“An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to gain administrative access to the web-based management interface of the affected device.
“The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.”
The flaw affects numerous versions of FMC, including several that have reached end-of-life, namely 6.1.0, 6.2.0, 6.2.1, and 6.2.2. Cisco has advised businesses using these iterations to upgrade to a release that integrates the fix before patching, such as versions 6.2.3, 6.3.0, 6.4.0, or 6.5.0.
The networking giant’s latest security issue has arisen just days before the firm is set to host its flagship Cisco Live 2020 conference in Barcelona.
The company has endured a topsy-turvy 2019, with a spate of security issues and negative headlines affecting its fortunes. For example, in August last year, three major vulnerabilities were found in the most popular switches used by its small and medium-sized business (SMB) customers.
This is in addition to its WebEx and Zoom platforms being hit with the ‘prying eye’ flaw in October, that would allow an attacker to use an enumeration attack to find open calls or meetings, if successfully exploited.
-
What is Microsoft Maia?Explainer Microsoft's in-house chip is planned to a core aspect of Microsoft Copilot and future Azure AI offerings
-
If Satya Nadella wants us to take AI seriously, let’s forget about mass adoption and start with a return on investment for those already using itOpinion If Satya Nadella wants us to take AI seriously, let's start with ROI for businesses
-
Experts welcome EU-led alternative to MITRE's vulnerability tracking schemeNews The EU-led framework will reduce reliance on US-based MITRE vulnerability reporting database
-
Veeam patches Backup & Replication vulnerabilities, urges users to updateNews The vulnerabilities affect Veeam Backup & Replication 13.0.1.180 and all earlier version 13 builds – but not previous versions.
-
Two Fortinet vulnerabilities are being exploited in the wild – patch nowNews Arctic Wolf and Rapid7 said security teams should act immediately to mitigate the Fortinet vulnerabilities
-
Everything you need to know about Google and Apple’s emergency zero-day patchesNews A serious zero-day bug was spotted in Chrome systems that impacts Apple users too, forcing both companies to issue emergency patches
-
Security experts claim the CVE Program isn’t up to scratch anymore — inaccurate scores and lengthy delays mean the system needs updatedNews CVE data is vital in combating emerging threats, yet inaccurate ratings and lengthy wait times are placing enterprises at risk
-
IBM AIX users urged to patch immediately as researchers sound alarm on critical flawsNews Network administrators should patch the four IBM AIX flaws as soon as possible
-
Critical Dell Storage Manager flaws could let hackers access sensitive data – patch nowNews A trio of flaws in Dell Storage Manager has prompted a customer alert
-
Cisco ASA customers urged to take immediate action as NCSC, CISA issue critical vulnerability warningsNews Cisco customers are urged to upgrade and secure systems immediately
