NEW ON CHANNELWEB

State Of Security

Fast Growth Awards

ARC Awards

Promo Finder

Women Of The Channel

CRN Fast Growth 100

New Service: Marketing Support

Real-Time Product Pricing and Availability

Emerging Vendors

VARBusiness 500

FEATURED VIDEO

Sponsored By:

SLIDE SHOWS

Test Center Picks For PC Components

The Test Center highlights noteworthy PC components that came through the lab so far this year. Manufacturers' ability to build components that support both quad- and dual-core hardware platforms continues to impress us.

Acer's New Notebooks True 'Gems'

Acer's latest Aspire Gemstone laptops come just in time for the holiday shopping blitz, targeting consumers with a range of entertainment-focused models.

Recent Channel Execs Coming And Going

It's been a busy quarter for shakeups in some of the industry's top channel companies. Here we look at several channel executives who have come and gone in the last few months.

>>More Slide Shows

INSIDE CHANNELWEB

State of Tech: Networking

Annual Guide to Custom Systems

Channel Best-Sellers

Partner Programs Guide

Tech Innovator Awards

Vendor Content Community

Sales Accelerator

Solution Provider Locator

Cisco Releases Three Security Advisories

By Stefanie Hoffman, ChannelWeb
8:06 PM EDT Wed. May. 21, 2008

Cisco reported three security advisories this week, addressing vulnerabilities in its Secure Control Engine, IOS Secure Shell Server and the Cisco Unified Customer Voice Portal that could lead to Denial of Service attacks and privilege escalation. Specifically, two Cisco advisories address Denial of Service errors in the IOS Secure Shell Server and the Secure Control Engine.

The Cisco Service Control Engine contains three vulnerabilities that could allow an attacker to completely reload the SCE. The errors could potentially be triggered during a login activity within an aggressive timeframe or by normal login activity in combination with other control engine management activities. The vulnerabilities could also be triggered during SSH login through specific actions regarding invalid authentication credentials.

The Secure Shell server in Cisco IOS also contains numerous vulnerabilities that could enable an unauthenticated user to create a memory access error or, in certain cases, use the vulnerability to reload the device.

Meanwhile, the third Cisco advisory warns of a privilege escalation error in the Cisco Unified Customer Voice Portal that could allow a potential attacker to create, modify or delete an account with elevated priveleges.

While there are no immediate workarounds, Cisco has released software upgrades addressing the vulnerabilities found in the Service Control Engine and Customer Voice Portal, which are available for free to affected customers.

None of the vulnerabilities allow an attacker to execute remote code execution. However, a posting on the SANS Institute Web site warned that with memory access issues that lead to a Denial of Service, "thoughts immediately go to arbitrary code execution."

"There is no evidence that this is possible, but in light of the recent work in IOS rootkits, vulnerabilities Cisco devices should not be taken lightly," SANS said.

So far, however, there are no known exploits loose in the wild.

SANS said that CORE Security researcher Sebastian Muniz is scheduled to release a proof of concept Cisco IOS rootkit Thursday at EuSecWest Conference in London.

CHANNELWEB MARKETSPACE >> (Sponsored Links)

>>Buy a Link Now

RELATED NETSEMINARS >>

Malware Evolution: Ways to Combat and Succeed Against Increasingly Sophisticated Threats

A Threat a Minute: How to Keep up with the Quick-Changing IT Security Landscape

Bundled Strategies for Data Protection

>>More Netseminars

WHITEPAPERS >>

Key to the Business Enabled Network

Secure Messaging: Key to the Business Enabled Network

>>More White Papers