News: Cexx forums, with volunteers dedicated to helping you remove malware and stay protected
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
October 21, 2014, 20:47:42
Pages: 1 ... 10 11 [12]   Go Down
  Print  
Topic: Cisco advisories/updates  (Read 42424 times)
0 Members and 1 Guest are viewing this topic.
« Reply #165 on: October 08, 2014, 12:22:33 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8343



FYI...

> http://tools.cisco.com/security/center/publicationListing.x

Cisco ASA Software - multiple vulns
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa
2014 Oct 8 - "Summary: Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities:
- Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability
- Cisco ASA VPN Denial of Service Vulnerability
- Cisco ASA IKEv2 Denial of Service Vulnerability
- Cisco ASA Health and Performance Monitor Denial of Service Vulnerability
- Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability
- Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability
- Cisco ASA DNS Inspection Engine Denial of Service Vulnerability
- Cisco ASA VPN Failover Command Injection Vulnerability
- Cisco ASA VNMC Command Input Validation Vulnerability
- Cisco ASA Local Path Inclusion Vulnerability
- Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability
- Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability
- Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability
These vulnerabilities are independent of one another; a release that is affected by one of the vulnerabilities may not be affected by the others... Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available..."
- http://www.securitytracker.com/id/1030979
CVE Reference: CVE-2014-3382, CVE-2014-3383, CVE-2014-3384, CVE-2014-3385, CVE-2014-3386, CVE-2014-3387, CVE-2014-3388, CVE-2014-3389, CVE-2014-3390, CVE-2014-3391, CVE-2014-3392, CVE-2014-3393, CVE-2014-3394
Oct 9 2014
Impact: Denial of service via network, Disclosure of authentication information, Disclosure of system information, Execution of arbitrary code via network, Modification of user information, User access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to versions 7.2(5.15), 8.4(7.23), 8.6(1.15), 8.7(1.14), 9.0(4.24), 9.1(5.12), 9.2(2.8 ), and 9.3(1.1) ...

 Exclamation
« Last Edit: October 09, 2014, 03:12:55 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #166 on: October 16, 2014, 02:24:06 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8343



FYI...

SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vuln
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141015-poodle
2014 Oct 15 - "Summary: On October 14, 2014, a vulnerability was publicly announced in the Secure Sockets Layer version 3 (SSLv3) protocol when using a block cipher in Cipher Block Chaining (CBC) mode. SSLv3 is a cryptographic protocol designed to provide communication security, which has been superseded by Transport Layer Security (TLS) protocols. By exploiting this vulnerability, an attacker could decrypt a subset of the encrypted communication.
Affected Products: Cisco is evaluating products to determine their exposure to this vulnerability.
Products will be listed in the Vulnerable Products section of this advisory if they fit both the following criteria:
    SSLv3 is supported by the product
    A block cipher in CBC mode is one of the transform sets being offered
Products will be listed in the Products Confirmed Not Vulnerable section of this advisory if they fit either of the following criteria:
    SSLv3 is not supported by the product
    SSLv3 is supported by the product but no block cipher in CBC mode is offered in the transform set...
The list of vulnerable products will be populated as the products are being evaluated..."

Cisco TelePresence Video Communication Server and Cisco Expressway Software Multiple Vulns
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141015-vcs
2014 Oct 15 - "Summary: Cisco TelePresence Video Communication Server (VCS) and Cisco Expressway Software includes the following vulnerabilities:
    Cisco TelePresence VCS and Cisco Expressway Crafted Packets Denial of Service Vulnerability
    Cisco TelePresence VCS and Cisco Expressway SIP IX Filter Denial of Service Vulnerability
    Cisco TelePresence VCS and Cisco Expressway SIP Denial of Service Vulnerability
Succesfull exploitation of any of these vulnerabilities could allow an unauthenticated, remote attacker to cause a reload of the affected system, which may result in a Denial of Service (DoS) condition. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are not available..."
- http://www.securitytracker.com/id/1031055
CVE Reference: CVE-2014-3368, CVE-2014-3369, CVE-2014-3370
Oct 15 2014
Fix Available:  Yes  Vendor Confirmed:  Yes ...
Impact: A remote user can cause the target system to crash and reload.
Solution: The vendor has issued a fix (X8.2)...

Cisco TelePresence MCU Software Memory Exhaustion Vuln
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141015-mcu
2014 Oct 15 - "Summary: A vulnerability in the network stack of Cisco TelePresence MCU Software could allow an unauthenticated, remote attacker to cause the exhaustion of available memory which could lead to system instability and a reload of the affected system. Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available..."
- http://www.securitytracker.com/id/1031054
CVE Reference: CVE-2014-3397
Oct 15 2014
Fix Available:  Yes  Vendor Confirmed:  Yes 
Version(s): prior to 4.3(2.30)...
The following models are affected:
Cisco TelePresence MCU 4200 Series
Cisco TelePresence MCU 4500 Series
Cisco TelePresence MCU MSE 8420
Impact: A remote user can consume all available memory, causing the system to become unstable and reload.
Solution: The vendor has issued a fix (4.3(2.30))...

Cisco Unified Communications Domain Manager Multiple Vulns
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140702-cucdm
2014 Oct 13 - Rev. 3.0 - "Summary: Cisco Unified Communications Domain Manager (Cisco Unified CDM) is affected by the following vulnerabilities:
- Cisco Unified Communications Domain Manager Privilege Escalation Vulnerability
- Cisco Unified Communications Domain Manager Default SSH Key Vulnerability
- Cisco Unified Communications Domain Manager BVSMWeb Unauthorized Data Manipulation Vulnerability
Successful exploitation of the Cisco Unified Communications Domain Manager Privilege Escalation Vulnerability or of the Cisco Unified Communications Domain Manager Default SSH Key Vulnerability may allow an attacker to execute arbitrary commands or obtain privileged access to the affected system.
Successful exploitation of the Cisco Unified Communications Domain Manager BVSMWeb Unauthorized Data Manipulation Vulnerability may allow an attacker to access and modify BVSMWeb portal user information such settings in the personal phone directory, speed dials, Single Number Reach, and call forward settings.
Cisco has released free software updates that address the Cisco Unified Communications Domain Manager Privilege Escalation Vulnerability and the Cisco Unified Communications Domain Manager Default SSH Key Vulnerability.
Cisco will provide a free software update for the Cisco Unified Communications Domain Manager BVSMWeb Unauthorized Data Manipulation Vulnerability as soon as the fix is available. Workarounds that mitigate these vulnerabilities are not available. Customers that are concerned about the Cisco Unified Communications Domain Manager BVSMWeb Unauthorized Data Manipulation Vulnerability may apply the mitigation detailed in the "Workarounds" section of this advisory.
Note: Due to an error in the fix of the Cisco Unified Communications Domain Manager Default SSH Key Vulnerability, all Cisco Unified CDM Platform Software releases are vulnerable regardless if a previous patch has been applied due to this security advisory. This advisory has been updated to provide additional information about the fix for the Cisco Unified Communications Domain Manager Default SSH Key Vulnerability..."
Rev 3.0 - 2014-Oct-13 - Added important information regarding fixed versions of the Cisco Unified Communications Domain Manager Default SSH Key Vulnerability.

 Exclamation Exclamation Exclamation
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
 
Pages: 1 ... 10 11 [12]   Go Up
  Print  
 
Jump to:  

Powered by SMF 1.1.20 | SMF © 2013, Simple Machines Page created in 0.151 seconds with 20 queries.