Thursday, October 6, 2022
Home Tech News Cisco Systems, SonicWall and VMware issue important patches

Cisco Systems, SonicWall and VMware issue important patches

Three of the biggest vendors of networking and data centre equipment – Cisco Systems, SonicWall and VMware – have issued security updates to fix serious vulnerabilities in their products.

IT administrators are urged to install these patches as soon as possible before threat actors develop exploits to take advantage of them.

Cisco

Cisco issued no fewer than 31 patches for products this week, many for its IOS XE operating system.

One of them, CVE-2021-34770, for the Catalyst 9000 Family Wireless Controllers, is rated critical.

“The vulnerability is due to a logic error that occurs during the validation of CAPWAP packets,” Cisco’s advisory says. “An attacker could exploit this vulnerability by sending a crafted CAPWAP packet to an affected device. A successful exploit could allow the attacker to execute arbitrary code with administrative privileges or cause the affected device to crash and reload, resulting in a DoS condition.”

Vulnerable products include

–Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and 9500 Series Switches

–Catalyst 9800 Series Wireless Controllers

–Catalyst 9800-CL Wireless Controllers for Cloud

–Embedded Wireless Controller on Catalyst Access Points.

SonicWall

SonicWall reported a critical arbitrary file delete vulnerability in its SMA 100 series appliances. These include the SMA 200, 210, 400, 410 and 500v devices.

The vulnerability (SNWLID-2021-0021 in SonicWall’s parlance, or CVE-2021-20034 ) is due to an improper limitation of a file path to a restricted directory potentially leading to arbitrary file deletion as ‘nobody.’ As a result a remote attacker could obtain administrator access on the underlying host.

So far, SonicWall said, there is no evidence this vulnerability is being exploited in the wild. Still, it “strongly urges” administrators to immediately install the patch.

VMware

VMware issued an alert about vulnerabilities in vCenter Server 6.5, 6.7, and 7.0. “This needs your immediate attention,” technical marketing expert Bob Plankers said in a blog.

“These updates fix a critical security vulnerability, and your response needs to be considered at once,” he said. “Organizations that practice change management using the ITIL (Information Technology Infrastructure Library) definitions of change types would consider this an ’emergency change.’ All environments are different, have different tolerance for risk, and have different security controls & defense-in-depth to mitigate risk, so the decision on how to proceed is up to you. However, given the severity, we strongly recommend that you act.”

“The most urgent addresses CVE-2021-22005, a file upload vulnerability that can be used to execute commands and software on the vCenter Server Appliance. This vulnerability can be used by anyone who can reach vCenter Server over the network to gain access, regardless of the configuration settings of vCenter Server.”

The other issues, he added, have lower CVSS scores but still may be usable to an attacker that is already inside your organization’s network.

- Advertisment -

Most Popular

Former Calgary Dino now a rookie with NFL’s Los Angeles Chargers

Canadian Deane Leonard has certainly taken the path less travelled to the NFL’s Los Angeles Chargers. The 22-year-old cornerback is in his rookie season with...

‘Impact success!’ Nasa spacecraft smashes asteroid in first ever ‘planetary defence test’

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video Nasa has successfully crashed a spacecraft into a small asteroid...

TikTok could face £27m fine for failing to protect children’s privacy

TikTok could face £27m fine for failing to protect children’s privacyInvestigation finds video-sharing app may have breached UK data protection law between 2018 and...

Eight states sue crypto lender Nexo over security sales and misleading marketing

/ New York’s attorney general alleges that the company’s Earn Interest Product was a security, one that the company wasn’t registered to sell,...