Cisco has revealed two more highly critical security bugs affecting its data-center software, a week after telling customers to patch core network-management products.
The newly disclosed bugs affect Cisco’s Data Center Network Manager (DCNM) software and once again are in its web-based management interface.
Both flaws can be exploited by anyone on the internet and are rated as critical, with severity ratings of 9.8 out of 10.
SEE: 10 tips for new cybersecurity pros (free PDF)
DCNM is the network management system for all NX-OS systems that use Cisco’s Nexus hardware in data centers. The software is used to automate provisioning, troubleshooting, and spotting configuration errors.
In other words, it’s a crucial piece of software for organizations that use Nexus switches, whose NX-OS operating system got patches for an equally severe flaw in May.
The first issue, CVE-2019-1619, is an authentication bypass in DCNM’s web interface that allows an attacker to take a valid session cookie without knowing the admin user password.
Attackers would need to send a specially crafted HTTP request to an undisclosed but specific web servlet on affected devices to get that session cookie. Should attackers gain the cookie, they’d be able to control the device with administrative privileges.
Cisco has now excised that particular web servlet in DCNM software release 11.1(1). However, it had deprecated the servlet in release 11.0(1), meaning it had removed the attack vector in that version already.
The company is urging customers to upgrade to DCNM software release 11.1(1), which it released in early May. Cisco urges customers to upgrade to 11.1(1) or later to address the issue.
The second flaw would allow anyone on the internet to upload malicious files on the DCNM filesystem on affected devices. Again, this bug is due to an undisclosed but specific web servlet that Cisco removed completely in software release 11.2(1), which Cisco released in June.
“The vulnerability is due to incorrect permission settings in affected DCNM software. An attacker could exploit this vulnerability by uploading specially crafted data to the affected device,” Cisco explained in its advisory for the bug CVE-2019-1620.
“A successful exploit could allow the attacker to write arbitrary files on the filesystem and execute code with root privileges on the affected device.”
While customers on DCNM release 11.2(1) and later should be safe, Cisco notes that attackers targeting release 11.1(1) could gain unauthenticated access to the affected web servlet and exploit the flaw. In the 11.0(1) release, an attacker would need to be authenticated to the DCNM web interface to exploit it.
Both bugs were found by Pedro Ribeiro, who reported the bug through iDefense’s Vulnerability Contributor Program. Cisco said it is not currently aware of any attacks that exploit these bugs.
More on Cisco and security
The Best Features Of The Aston Martin Vulcan
Although the Vulcan was specifically designed not to be road legal, one owner decided that they wanted to stick on some license plates and take it on the highway anyway. Except, it was far from that simple, as the conversion process required making some major changes to the car, and cost several hundred thousand dollars on top of the original purchase price (via Motor1). The street conversion was handled by RML Group but had full support from the Aston Martin factory, and after completion, it became the only road-legal Vulcan in existence.
Among the litany of changes required were the addition of windshield wipers, side mirrors, and a central locking system. Michelin road tires were also fitted, and a new set of headlights had to be installed to meet height requirements for British roads. The bladed tail lights were also covered over for safety, and a few of the sharper surface edges around the cabin were smoothed out. Then, the engine was remapped to meet emissions requirements, the suspension was softened, and a lift system was installed to give the car extra clearance for speed bumps. After all that, plus a few final touches, a license plate was fitted and the car was ready to go. Unfortunately, it seems like the owner’s enthusiasm for taking it on the road quickly evaporated, as checking the car’s plates against the British government database shows that its MOT (the annual national roadworthiness test) certificate expired back in January 2022.
5 Cars Owned By Bob Seger That Prove He Has Great Taste
Pulling into the final spot on the list is a 1969 Shelby Cobra GT350 Fastback. This particular car is unique for a few reasons. First, it was the last “new original” Shelby that Ford would produce. The GT350 and GT500 released in 1970 weren’t actually new or original but re-VIN’d production cars from the previous year. Also, during the summer of ’69, Carrol Shelby ended his association with Ford (via MustangSpecs).
It had one of Ford’s new 351 Windsor V8 engines with a 470 CFM four-barrel Autolite carburetor under the hood that pounded out 290hp and 385 lb-ft of torque. Its 0 – 60 time was a modest 6.5 seconds, and it did the quarter mile in 14.9 seconds (via MustangSpecs).
According to MustangSpecs, it was typically mated to a 4-speed manual transmission, but Seger’s had a Tremec 6-speed stick instead (via Mecum Auctions). Seger’s Candy Apple Red GT350 had Ford’s upgraded interior package, flaunting a landscape of imitation teak wood covering the dash, steering wheel, door accents, and center console trim (via MustangSpecs).
According to Mecum Auctions, Seger’s was number 42 of 935. When it sold at auction in 2013 for $65,000, it noted that it had been displayed at the Henry Ford Museum at the Rock Stars, Cars & Guitars Exhibit.
Here’s What Made Volkswagen’s Air-Cooled Engine So Special
Engines like the Chevy Small Block, Ford 5.0, Chrysler HEMI, and Toyota 2JZ are known for power, torque, and how quickly they can propel a hunk of steel down the drag strip or around the corners of a track. The Volkswagen air-cooled engine is remembered amongst people who have owned one as reliable, easy to maintain, and as numerous as grains of sand on the beach. VW made literally tens of millions of the engine, including over 21 million in just the Beetle (via Autoweek).
It’s difficult to nail down specific aspects of the engine’s early history as sources tend to disagree on years. But the engine can be traced back to very early Volkswagen models designed with help from Ferdinand Porsche and built in the late-1930s to early 1940s in Nazi Germany. Official sources from Volkswagen are reluctant to acknowledge use of the engine or even the existence of the Beetle prior to the end of World War II.
The 12 Fastest Ways To Travel On Land
The L0 Series Maglev train is a high-speed magnetic levitation (maglev) train developed by Central Japan Railway Company (JR Central)...
Cars That Celebrities Love But Aren't So Great
Having a lot of money doesn’t necessarily mean you have flashy taste. These are some cars that celebrities love, but...
The Best Features Of The Aston Martin Vulcan
Although the Vulcan was specifically designed not to be road legal, one owner decided that they wanted to stick on...
The Dodge M80 Was A Throwback Truck Concept Ahead Of Its Time
If Fisher-Price made combat vehicles in World War II, it might look like the Dodge M80 concept. The M80 was...
US military shoots down Chinese balloon over coastal waters
On Saturday afternoon, US jets intercepted the Chinese surveillance balloon as it was leaving the continental US. Live footage of...
Social10 months ago
Web.com website builder review
Social3 years ago
CrashPlan for Small Business Review
Gadgets4 years ago
A fictional Facebook Portal videochat with Mark Zuckerberg – TechCrunch
Cars4 years ago
What’s the best cloud storage for you?
Social4 years ago
iPhone XS priciest yet in South Korea
Mobile4 years ago
Memory raises $5M to bring AI to time tracking – TechCrunch
Security4 years ago
Google latest cloud to be Australian government certified
Social4 years ago
Apple’s new iPad Pro aims to keep enterprise momentum