Cisco patches yet another Data Centre Network Manager vuln Cisco has coughed to its Data Centre Network Manager (DCNM) software having a rather unpleasant vulnerability – but there's a patch for it. The vuln allows a logged-in attacker to gain access to sensitive files on a targeted system. Cisco described the flaw as being down to "improper validation of user requests within the …
a malicious person could send requests containing directory traversal "character sequences", fooling the target server into returning the contents of file directories – or even allowing the attacker to create their own files.
Potentially dumb question: Why don't their automated testing tools scan for this kind of vulnerability? Directory traversal exploits aren't exactly new.
Based on my experience of Cisco products, its probably not a dumb question.
To create Cisco, a very specific development process is followed:
- startup creates software (quality varies, but lets say it's X)
- Cisco buys product and gives it a light rebrand and functionality remains similar to original. There may even be patches
- Cisco begins to integrate product X into its standard offering for that product portfolio. Imagine the screams of the damned as a product of quality X is merged with an existing internal product of quality Y where the quality of Y >> 0. The number of key features removed from both products should relate to the order of magnitude of the version change.
- while customers still but the product, keep mangling the software.
Now, given this process of mutilation, the idea of running security tools over the code will likely result in a "can we just disable that feature?" response rather than a "we should fix that" response.
Or worse, maybe Cisco sees these security vulnerabilities as a chance to upsell the solution to include firewalls to protect their flimsy solutions...
/cynicism
The Register - Independent news and views for the tech community. Part of Situation Publishing
Biting the hand that feeds IT © 1998–2021
