SD-WAN admin? Your number came up in Cisco's latest bug list

Are these mistakes, or back doors?

I mean really, Cisco is supposed to be the big dog, the one that has the engineers and an industry standard. But their exploits are so powerfull that it just feels like a lot of these are backdoors that they decided to close once they got into the wild, to prevent loosing business. Makes me wonder just how many backdoors there are into their products. They should start password protecting these, maybe work with RSA (another week backdoor maker) and come up with a semi secure backdoor using both their products. Bah, doesn't matter, as the NSA says - All your data are belong to U.S.

Starting points for security researchers

CDP on IOS-XE: remote code execution

I reported this but got blown off 18 months ago. Using any XE image 3.12 or later, especially on switches, single-step the CDP module to find an overflow. In some versions, the kernel segfaults (overflow) simply parsing changes to native vlan changes from the remote. CSR1000v can be used to reproduce. The error is probably in misuse of sk_buff and Alan Cox's psnap module.

SAML on ISE Man in the middle

Reported this two years ago, got blown off. ISE's SAML implementation incorrectly reports SAML versioning in their schema when identifying the Sp. This is due to hard coded values and ignoring settings from the IDp. It seems that the SAML service also ignores updated authentication tokens. Turn on verbose logging and intercept packets in transit between ISE and AD FS... alter packets and fake signatures to reproduce.

ISE Web Portal

just message me for a really long list. I'm typing with a mouse because my keyboard batteries died.

Cisco only cares about security after it's a public CVE