What a lovely number of security bug fixes. I wonder if they saved some up till they got the right number?
Cisco has emitted 33 security bug fixes in its latest crop of software updates, five of those deemed critical. Those five critical vulnerabilities include two remote code execution bugs (CVE-2020-3323, CVE-2020-3321) – with no workarounds for either other than patching – and one each of authentication bypass (CVE-2020-3144), …
443 bugs fixed - does anyone think that there are not more bugs out there undiscovered yet? Or that implementing 443 bug fixes in one day will not lead to a few new bugs, where one bug fix interacts with another bug fix to introduce a new bug that we don't know about yet?
"Or that implementing 443 bug fixes in one day will not lead to a few new bugs"
How will you tell the difference between the bugs you're hitting before or after?
Or are the fixes intended for hackers who have successfully compromised Oracle installs and find the platform too unstable to launch attacks from?
I wonder how many unpatched known vulnerabilities are out there. I know of at least one which affects the "Secure Boot" process and allowed the fake Cisco routers to function but there are undoubtedly many more. I don't keep track because I've purged Cisco from my system.
I'm not sure the bug was within Secure Boot - if you had access to the hardware you could flash a counterfeit loader that bypassed some checks. As the manufacturer didn't make the hardware or hacked bootloader, your checks maybe inadequate but that opens up a huge range of hardware to the same charge given the equipment release date.
Secure boot was introduced at about the 2nd or 3rd maintenance release for 2960X switches at which point counterfeit switches failed to boot due to a hardware limitation.
This is based on my experience of RMAing faulty 2960Xs. Cisco realised they were grey market as soon as a TAC case was opened with the serial numbers and the reseller was very sheepish about replacements.
Biting the hand that feeds IT © 1998–2022