Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

M-M-M-MONSTER KILL: Cisco's bug-wranglers swat 29 in single week

Replace those end-of-life VPN devices, they won't be patched

Cisco has taken delivery of a bulk order for 29 Common Vulnerabilities and Exposures (CVEs) IDs.

If you're running the end-of-life RV110 Wireless-N VPN firewall or RV215W Wireless-N VPN router, bad news: some of their security vulnerabilities won't be patched and there's no workaround – so it is probably time to replace them.

Those are listed in one of two new critical-rated CVEs, the other of which Cisco fixed without your help.

Users don't need to take any action about the now-patched authentication bug in Cisco's Umbrella API (CVE-2018-0435), but that's not the case for various RV-Series routers.

The management interfaces of the RV110W, RV130W and RV215W kit have a buffer overrun (CVE-2018-0423) that leaves them vulnerable to remote attackers.

As the advisory stated: "The vulnerability is due to improper boundary restrictions on user-supplied input in the Guest user feature of the web-based management interface. An attacker could exploit this vulnerability by sending malicious requests to a targeted device, triggering a buffer overflow condition."

The Guest feature is disabled in the devices' default configuration.

Cisco has patched the RV130W Wireless-N Multifunction VPN router's firmware.

If you're running either the RV110W Wireless-N VPN firewall or RV215W Wireless-N VPN router, configure it to disable the Guest feature because Cisco already had those units on its end-of-life list.

As for the other 27 patches, 13 are rated as "High" priority and the rest are "Medium".

As well as the buffer overrun, the aforementioned routers' admin interface also has:

Cisco's vulnerability announcements also list high-rated bugs in various Webex products, Cisco's SD-WAN Solution, and management products; and there are 14 bugs rated "Medium".

Four older announcements relating to Apache Struts, FragmentSmack, SegmentSmack and an Orchestrator snafu were updated with expanded product lists. Enjoy. ®

 

Similar topics

TIP US OFF

Send us news


Other stories you might like