Cisco has patched a high-severity bug in the web-based user interface of its IOS XE software. The flaw lets anyone on the internet stealthily break into internal networks without a password.
This newly disclosed issue, tracked as CVE-2019-1904, can be exploited by a remote attacker using a cross-site request forgery (CSRF) attack on affected systems.
SEE: 10 tips for new cybersecurity pros (free PDF)
Cisco IOS XE is the Linux-based version of the company’s internetworking operating system (IOS), used on numerous enterprise routers and Cisco Catalyst switches. Cisco confirmed the bug doesn’t affect IOS, IOS XR, or NX-OS variants.
“The vulnerability is due to insufficient CSRF protections for the web UI on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link,” Cisco explains.
In an attack scenario, a CSRF exploit could be hidden inside malicious ads, lending itself to weaponization in an exploit kit. The appeal of exploiting this flaw is that it would allow an attacker to target internal networks or admins without setting off any alarms.
An attacker who successfully exploits the flaw can perform any actions they want with the same privilege level of the affected user.
“If the user has administrative privileges, the attacker could alter the configuration, execute commands, or reload an affected device,” Cisco warns.
The only way to address this vulnerability is to install software updates Cisco has made available. And those updates are only available to customers with a valid Cisco license.
The bug was discovered by researchers at Red Balloon Security, the firm that discovered Thangrycat, a dire bug disclosed in May that affected Cisco’s Trust Anchor module (TAm), a proprietary hardware security chip present in Cisco gear since 2013.
The firm also found a separate remote code execution flaw in the web interface of IOS XE.
While there is no workaround for the new bug, disabling the HTTP Server feature closes this attack vector and “may be a suitable mitigation” until affected devices are running a fixed version, according to Cisco.
Cisco notes that there is proof-of-concept exploit code for this IOS XE vulnerability. However, it adds there’s no indication yet that the exploit code is publicly available.
More on Cisco and security
Incredible and iconic 1970 Porsche 917 K race car heads to auction
RM Sotheby’s is auctioning some incredibly expensive, rare, and iconic vehicles in Monterey, California, starting on August 14. One of the highlights of the show is an extremely rare and perfect 1970 Porsche 917 K racer. The car was delivered new in 1970 to Porsche Works team JW Automotive Engineering.
The car was driven by David Hobbs and Mike Hailwood in the 1970 Le Mans 24 Hours. This car is also the same vehicle used as the winning car in the Steve McQueen classic Le Mans. The vehicle was rebuilt to 917 Spyder specification at the Porsche factory in 1971. It currently wears one of the most iconic racing liveries in history with the blue and orange of Gulf.
The car was raced in Interserie in 1971 through 1973 by Jürgen Neuhaus, Team Shell Heckersbruch, and Gelo Racing. Subsequently, it was owned and raced in historic events by the late Michael Amalfitano for over 20 years. The vehicle was restored to its original 917 K specification but is accompanied by the original Spyder body.
This racing car may be decades old, but it’s incredibly fast, reaching 220 mph. The vehicle is chassis number 917-031/026 with engine number 917-031. The sale comes with numerous spare parts, additional hardware, tools, and ancillary components. The vehicle has an extensive racing pedigree with multiple drivers and multiple racing series.
It also finished in first place in many of the events it entered. The car is rare enough, and with such an extensive racing pedigree coupled with the fact that it was used in the iconic Steve McQueen film, it’s expected to bring a huge amount of money. The action estimates the vehicle will sell for between $16 million and $18.5 million when the gavel drops.
Mercedes S 680 Guard 4matic is a rolling safe room
For some people in some locations, personal safety is a significant issue. Mercedes has been producing armored vehicles for celebrities and heads of state who might be the target of kidnappers or others that wish them harm. The automaker announced previously that it would rely solely on its S-Class for its factory armored vehicles.
The latest model is available only with a long wheelbase and the Maybach 612 PS V12 turbocharged engine. The new armored model also gets all-wheel drive. Mercedes says the S 680 Guard 4matic is a model focused on people and their safety. It also says no other series sedan fully meets the highest protection class for civil vehicles.
The car is available as a four or five-seater and has a maximum payload of 660 kilograms. The vehicle weighs in at 4.2-tonne making it very heavy. Occupants ride in a protected cell that is unnoticeable from the outside. One of the only clues that this vehicle is fully armored is the centimeter-thick windows and special tires from Michelin featuring Pax emergency running system. The windows are fitted with a polycarbonate splinter protection system on the inside
The material and thickness of the side panels meet VR10 classification. The window regulators have a hydraulic emergency function, and their optional equipment including a fire extinguisher system and emergency fresh air system to protect occupants from smoke or irritant gases. Vehicles can also be fitted with flashers, signal systems, or radio.
These vehicles are built on order and take 51 days to complete. Exactly how much the vehicles will cost remains to be seen, but it’s expected to be around €500,000. Typically, royalty or government officials use vehicles of this type, but it seems anyone can purchase the vehicle if they desire.
Rivian is in talks for a UK factory
Of all the start-up electric vehicle manufacturers, one of the most anticipated is Rivian. The company has shown off very interesting and appealing SUV and truck models so far that are completely electric. Rivian is backed by Amazon and Ford, among others. A new report is circulating claiming that the electric vehicle maker is in talks with ministers in the UK to build a factory there.
If the talks work out, it would be the first Rivian factory outside of the US. The report also indicates that the site of the factory in the UK would be near Bristol. According to the report, Rivian and ministers in the UK government have been in secret negotiations for weeks for the construction of the new plant.
Reports indicate that the talks aren’t in an advanced state at this time. Building the factory in the UK isn’t guaranteed at this time. Other European nations are also in consideration, including Germany and the Netherlands. Whichever country is ultimately chosen, likely depending on tax breaks, among other items. The investment in the new plant would be worth more than £1 billion.
Rivian has been busy raising money, recently raising another $2.5 billion from investors earlier in the month. The total the company has raised since 2019 is $10.5 billion. Rivian currently plans to begin deliveries of its R1T electric truck this fall. The electric truck is expected to begin selling for $67,500.
It’s worth noting that Rivian has experienced unexpected delays in the past, and it wouldn’t be outside the realm of possibility for the vehicles to be delayed again. The current talks with ministers in the UK are focused on a manufacturing facility for the vehicles themselves rather than batteries. However, sources claiming to be familiar with negotiations have said they are fluid and could shift towards a battery manufacturing facility.
New Mobvoi TicWatches won’t run Wear OS 3 at launch, upgrade in 2022
Google turned the excitement around its next major update to its Wear OS platform and doused it with the cold...
Galaxy Z Fold 3 price leak could dash hopes
Based on leaks so far, the Galaxy Z Fold 3 sounds like the pinnacle of Samsung’s foldable device dreams. In...
Windows Your Phone Apps feature could be expanding to more phones
After giving up on its own attempts at creating its own mobile platform, Microsoft switched to integrating Windows better with...
Google Meet PWA is the recommended way to Meet on desktops
Video conferencing services have become the bread and butter of work, school, and even social life for the past year...
Chromebooks and tablets growth in Q2 2021 beat global chip shortage
Just when things were starting to look up for consumer computing devices last year, 2021 brought its own big problem...
Social1 year ago
CrashPlan for Small Business Review
Gadgets3 years ago
A fictional Facebook Portal videochat with Mark Zuckerberg – TechCrunch
Cars3 years ago
What’s the best cloud storage for you?
Social3 years ago
iPhone XS priciest yet in South Korea
Mobile3 years ago
Memory raises $5M to bring AI to time tracking – TechCrunch
Security3 years ago
Google latest cloud to be Australian government certified
Cars3 years ago
SK Telecom and Samsung to collaborate on 5G for enterprise
Social3 years ago
Apple’s new iPad Pro aims to keep enterprise momentum