OpenSSL swats a dozen bugs, one notable nasty

Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

Cisco has shrunk its Catalyst 9200 switches into three compact models.

Switchzilla reckons they exercise the newfound freedom to undertake remote work by letting organizations squeeze a proper enterprise switch into a wider variety of smaller and more exotic places.

The smallest of the models measures 4.4cm x 26.9cm x 16.5cm, and the other two add a little depth to emerge at 4.4cm x 26.9cm x 24.4cm. All are fanless, leading Cisco to suggest you bolt them under desks, nail them to walls, or even slide one into a home office.

The latest version of OpenSSL v3, a widely used open-source library for secure networking using the Transport Layer Security (TLS) protocol, contains a memory corruption vulnerability that imperils x64 systems with Intel's Advanced Vector Extensions 512 (AVX512).

OpenSSL 3.0.4 was released on June 21 to address a command-injection vulnerability (CVE-2022-2068) that was not fully addressed with a previous patch (CVE-2022-1292).

But this release itself needs further fixing. OpenSSL 3.0.4 "is susceptible to remote memory corruption which can be triggered trivially by an attacker," according to security researcher Guido Vranken. We're imagining two devices establishing a secure connection between themselves using OpenSSL and this flaw being exploited to run arbitrary malicious code on one of them.

Cisco has decided it's time to leave Russia and Belarus, almost four months after stopping operations in response to Russia's illegal invasion of Ukraine.

The networking giant announced it would halt operations in Russia and Belarus "for the foreseeable future" on March 3 this year.

A June 23 update suggests Cisco sees no future in either nation.

Cisco Live In his first in-person Cisco Live keynote in two years, CEO Chuck Robbins didn't make any lofty claims about how AI is taking over the network or how the company's latest products would turn networking on its head. Instead, the presentation was all about working with customers to make their lives easier.

"We need to simplify the things that we do with you. If I think back to eight or ten years ago, I think we've made progress, but we still have more to do," he said, promising to address customers' biggest complaints with the networking giant's various platforms.

"Everything we find that is inhibiting your experience from being the best that it can be, we're going to tackle," he declared, appealing to customers to share their pain points at the show.

Cisco's Nexus Cloud will eventually allow customers to manage their datacenter networks entirely from the cloud, says the networking giant.

The company unveiled the latest addition to its datacenter-focused Nexus portfolio at Cisco Live this week, where the product set got a software-as-a-service (SaaS) revamp.

"It's targeted at network operations teams that need to manage, or want to manage, their Nexus infrastructure as well as their public-cloud network infrastructure in one spot," Cisco's Thomas Scheibe – VP product management, cloud networking for Nexus & ACI product lines – told The Register.

If you thought you were over the hump with Patch Tuesday then perhaps think again: Cisco has just released fixes for a bunch of flaws, two of which are not great.

First on the priority list should be a critical vulnerability in its enterprise security appliances, and the second concerns another critical bug in some of its outdated small business routers that it's not going to fix. In other words, junk your kit or somehow mitigate the risk.

Both of these received a CVSS score of 9.8 out of 10 in severity. The IT giant urged customers to patch affected security appliances ASAP if possible, and upgrade to newer hardware if you're still using an end-of-life, buggy router. We note that miscreants aren't actively exploiting either of these vulnerabilities — yet.

Networking kingpin Cisco is hiring more cautiously to indicate that it, like many peers, is taking note of macroeconomic red flags.

"It's a time to be prudent," Richard Scott Herren, Cisco senior veep and chief financial officer told the Nasdaq Investor Conference. "I think it is a time for everyone to be prudent… so we're doing the same."

The hot spots – or the "highest priority items for us" – including security, will continue to see investments in headcount, he said.

A security flaw in Apple's Safari web browser that was patched nine years ago was exploited in the wild again some months ago – a perfect example of a "zombie" vulnerability.

That's a bug that's been patched, but for whatever reason can be abused all over again on up-to-date systems and devices – or a bug closely related to a patched one.

In a write-up this month, Maddie Stone, a top researcher on Google's Project Zero team, shared details of a Safari vulnerability that folks realized in January this year was being exploited in the wild. This remote-code-execution flaw could be abused by a specially crafted website, for example, to run spyware on someone's device when viewed in their browser.

RSA Conference Exclusive Establishing some level of cybersecurity measures across all organizations will soon reach human-rights issue status, according to Jeetu Patel, Cisco EVP for security and collaboration.

"It's our civic duty to ensure that everyone below the security poverty line has a level of safety, because it's gonna eventually get to be a human-rights issue," Patel told The Register, in an exclusive interview ahead of his RSA Conference keynote. 

"This is critical infrastructure — financial services, health care, transportation — services like your water supply, your power grid, all of those things can stop in an instant if there's a breach," he said.