Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances.
The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.
This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come.
To exploit the vulnerability, an attacker needs valid operator-level or higher access to the appliance. Once authenticated, the miscreant can steal sensitive information, such as user credentials, from a Lightweight Directory Access Protocol (LDAP) external authentication server connected to the device due to a blunder in the query process.
We can imagine a rogue insider or someone who has compromised an operator account exploiting this flaw to further penetrate a network.
"This vulnerability is due to a lack of proper input sanitization while querying the external authentication server," reads the security advisory, which was issued last week and updated yesterday with more details on available software fixes.
Cisco deemed the three other vulnerabilities medium severity, though their CVSS scores range from 9.1 to 5.4. We're told miscreants haven't (yet) exploited any of these bugs either.
The 9.1-severity vuln, tracked today as CVE-2022-20829, is in the packaging of Cisco Adaptive Security Device Manager (ASDM) software images and the validation of those images by Cisco Adaptive Security Appliance (ASA) software.
Cisco only rates the bug as medium severity, despite the high CVSS score, because an attacker needs administrative privileges to exploit this bug. By uploading a specially crafted image containing malicious code to a device running Cisco's ASA software, and waiting for a targeted user to access that device via ASDM, the rogue administrator can execute the malicious code on the user's machine.
It's a fairly complicated vulnerability to exploiut with a limited set of targets, which is good considering it's only partially patched. Updating both the ASA software and the ASDM is required to fully fix this vulnerability. The vendor issued patches for all affected ASDM versions. However, Cisco only has software updates for ASA software releases 9.17 and earlier. Fixes for 9.18 won't be available until August, and there are no workarounds.
"This vulnerability is due to insufficient validation of the authenticity of an ASDM image during its installation on a device that is running Cisco ASA Software," the vendor noted.
Also today, Cisco warned customers about a 6.5-severity flaw in the CLI parser of the Cisco FirePOWER Software for Adaptive Security Appliance FirePOWER module tracked as CVE-2022-20828.
"This vulnerability could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected ASA FirePOWER module as the root user," according to the security advisory.
An attacker must have administrative access to the ASA and the ASA FirePOWER module to exploit the bug. But assuming that's the case, a miscreant could exploit it using a crafted CLI command or HTTPS request. Still, "the attack vector through an HTTPS request is open only if HTTPS management access is enabled on the Cisco ASA that is hosting the ASA FirePOWER module," the vendor noted.
Cisco FirePOWER Software for ASA FirePOWER module releases 6.2.2 and earlier, plus releases 6.3.0 and 6.5.0, have reached end of life, and won't be updated, so the vendor said customers should migrate to a release that includes a fix for this vulnerability.
However, one of the software updates won't be available until July and a second until December.
Finally, CVE-2022-20802, a flaw in the web interface of Cisco Enterprise Chat and Email that could lead to a cross-site scripting attack against a user of the interface, received the lowest severity score of 5.4.
An attacker would need valid agent credentials to exploit this vulnerability, and could do so by sending a crafted HTTP request to the affected system. "A successful exploit could allow the attacker to execute arbitrary code in the context of the interface or access sensitive, browser-based information," Cisco warned.
Cisco said it will fix versions 12.6(1) ES2 and earlier in a future software release, but didn't provide a timeline for when that will happen. ®
Australia’s Competition and Consumer Commission has fined Samsung Electronics AU$14 million ($9.6 million) for making for misleading water resistance claims about 3.1 million smartphones.
The Commission (ACCC) says that between 2016 and 2018 Samsung advertised its Galaxy S7, S7 Edge, A5, A7, S8, S8 Plus and Note 8 smartphones as capable of surviving short submersions in the sea or fresh water.
As it happens The Register attended the Australian launch of the Note 8 and watched on in wonder as it survived a brief dunking and bubbles appeared to emerge from within the device. Your correspondent recalls Samsung claiming that the waterproofing reflected the aim of designing a phone that could handle Australia's outdoors lifestyle.
Brave Software, maker of a privacy-oriented browser, on Wednesday said its surging search service has exited beta testing while its Goggles search personalization system has entered beta testing.
Brave Search, which debuted a year ago, has received 2.5 billion search queries since then, apparently, and based on current monthly totals is expected to handle twice as many over the next year. The search service is available in the Brave browser and in other browsers by visiting search.brave.com.
"Since launching one year ago, Brave Search has prioritized independence and innovation in order to give users the privacy they deserve," wrote Josep Pujol, chief of search at Brave. "The web is changing, and our incredible growth shows that there is demand for a new player that puts users first."
Facebook parent Meta has settled a complaint brought by the US government, which alleged the internet giant's machine-learning algorithms broke the law by blocking certain users from seeing online real-estate adverts based on their nationality, race, religion, sex, and marital status.
Specifically, Meta violated America's Fair Housing Act, which protects people looking to buy or rent properties from discrimination, it was claimed; it is illegal for homeowners to refuse to sell or rent their houses or advertise homes to specific demographics, and to evict tenants based on their demographics.
This week, prosecutors sued Meta in New York City, alleging the mega-corp's algorithms discriminated against users on Facebook by unfairly targeting people with housing ads based on their "race, color, religion, sex, disability, familial status, and national origin."
Broadcom has made its first public comment in weeks about its plans for VMware, should the surprise $61 billion acquisition proceed as planned, and has prioritized retaining VMware's engineers to preserve the virtualization giant's innovation capabilities.
The outline of Broadcom's plans appeared in a Wednesday blog post by Broadcom Software president Tom Krause.
Zscaler is growing the machine-learning capabilities of its zero-trust platform and expanding it into the public cloud and network edge, CEO Jay Chaudhry told devotees at a conference in Las Vegas today.
Along with the AI advancements, Zscaler at its Zenith 2022 show in Sin City also announced greater integration of its technologies with Amazon Web Services, and a security management offering designed to enable infosec teams and developers to better detect risks in cloud-native applications.
In addition, the biz also is putting a focus on the Internet of Things (IoT) and operational technology (OT) control systems as it addresses the security side of the network edge. Zscaler, for those not aware, makes products that securely connect devices, networks, and backend systems together, and provides the monitoring, controls, and cloud services an organization might need to manage all that.
Amazon unveiled its first "fully autonomous mobile robot" and other machines designed to operate alongside human workers at its warehouses.
In 2012 the e-commerce giant acquired Kiva Systems, a robotics startup, for $775 million. Now, following on from that, Amazon has revealed multiple prototypes powered by AI and computer-vision algorithms, ranging from robotic grippers to moving storage systems, that it has developed over the past decade. The mega-corporation hopes to put them to use in warehouses one day, ostensibly to help staff lift, carry, and scan items more efficiently.
Its "autonomous mobile robot" is a disk-shaped device on wheels, and resembles a Roomba. Instead of hoovering crumbs, the machine, named Proteus, carefully slots itself underneath a cart full of packages and pushes it along the factory floor. Amazon said Proteus was designed to work directly with and alongside humans and doesn't have to be constrained to specific locations caged off for safety reasons.
Mega, the New Zealand-based file-sharing biz co-founded a decade ago by Kim Dotcom, promotes its "privacy by design" and user-controlled encryption keys to claim that data stored on Mega's servers can only be accessed by customers, even if its main system is taken over by law enforcement or others.
The design of the service, however, falls short of that promise thanks to poorly implemented encryption. Cryptography experts at ETH Zurich in Switzerland on Tuesday published a paper describing five possible attacks that can compromise the confidentiality of users' files.
The paper [PDF], titled "Mega: Malleable Encryption Goes Awry," by ETH cryptography researchers Matilda Backendal and Miro Haller, and computer science professor Kenneth Paterson, identifies "significant shortcomings in Mega’s cryptographic architecture" that allow Mega, or those able to mount a TLS MITM attack on Mega's client software, to access user files.
Embedded World RISC-V International has grown its pile of royalty-free, open specifications, with additional documents covering firmware, hypervisors, and more.
RISC-V – pronounced "risk five", and not to be confused with the other architecture of that name, RISC-5 – essentially sets out how a CPU core should work from a software point of view. Chip designers can implement these instruction set specifications in silicon, and there are a good number of big industry players backing it.
The latest specs lay out four features that compatible processors should adhere to. Two of them, E-Trace and Zmmul, will be useful for organizations building RISC-V hardware and software, and the other two could prove important in future, aiding the development of OSes to run on RISC-V computers.
Microsoft has made it official. Windows Subsystem for Linux 2 distributions are now supported on Windows Server 2022.
The technology emerged in preview form last month and represented somewhat of an about-face from the Windows giant, whose employees had previously complained that while the tech was handy for desktop users, sticking it on a server might mean it gets used for things for which it wasn't intended.
(And Windows Server absolutely had to have the bloated user interface of its desktop stablemate as well, right?)
Air raid sirens sounded for over an hour in parts of Jerusalem and southern Israel on Sunday evening – but bombs never fell, leading some to blame Iran for compromising the alarms.
While the perpetrator remains unclear, Israel's National Cyber Directorate did say in a tweet that it suspected a cyberattack because the air raid sirens activated were municipality-owned public address systems, not Israel Defense Force alarms as originally believed. Sirens also sounded in the Red Sea port town of Eilat.
Netizens on social media and Israeli news sites pointed the finger at Iran, though a diplomatic source interviewed by the Jerusalem Post said there was no certainty Tehran was behind the attack. The source also said Israel faces cyberattacks regularly, and downplayed the significance of the incident.
Castrol, better known for its engine oil, has partnered with cooling specialist Submer to drive the adoption of immersion cooling for datacenter and edge applications.
For those of a certain age, Castrol will forever be associated with TV ads that proclaimed its Castrol GTX product as not just oil, but "liquid engineering." Now, however, it is teaming up with Submer to promote liquid immersion cooling as a way towards more efficient and more sustainable datacenter operations.
The two companies said they will work together on the global supply, development and standardization of next generation immersion cooling fluids. These are typically so-called dielectric fluids that conduct heat but not electricity, enabling components such as server motherboards to be cooled by being completely immersed in the fluid.
The Register - Independent news and views for the tech community. Part of Situation Publishing
Biting the hand that feeds IT © 1998–2022