Buggy defaults in SNMP
This week’s Cisco patch round includes a critical vuln in the kind of product least likely to get patched – a small business Ethernet switch.
The Small Business 220 Series Smart Plus switches ship with a hard-coded SNMP community string, which means if it’s visible to the Internet, a remote attacker can access its SNMP objects.
While Cisco rates the vulnerability as critical, it also notes that SNMP is off by default on the devices; it’s only if the management protocol is turned on that the devices are vulnerable.
It’s present on switches running firmware release 220.127.116.11, 18.104.22.168, and 22.214.171.124; new firmware is available.
The same switches also have issues in their Web interface: a cross-site request forgery bug; a cross-site scripting issue; and a denial-of-service vulnerability.
WebEx Meetings Player can be crashed by a remote attacker – in the author’s experience it can be crashed just by trying to join a meeting, but whatever – and a new version is available.
There are also a couple of minor DoS vulnerabilities in Switchzilla’s wireless LAN controller software. ®
Sponsored: 2016 Cyberthreat defense report