back to article It's 2021 and you can hijack a Cisco SD-WAN deployment with malicious IP traffic and a buffer overflow. Patch now

Cisco this week emitted patches for four sets of critical-severity security holes in its products along with other fixes. The worst of the bugs can be exploited by sending specially crafted IP packets to a vulnerable installation, and overflowing a memory buffer to ultimately execute code as root on the machine, allowing the …

  1. jake Silver badge

    A buffer overflow parsing packets?

    The early 1980s is on line one, they're demanding their vulnerability back.

    What's next? Default root passwords, shipped pre-installed for your convenience?

    Seriously, does nobody at Cisco understand sanitizing inputs? And worse, is there no such thing as testing code before shipping anymore? That's sad.

    1. TimMaher Silver badge
      Flame

      1980s

      That fits.

      Have just bought a 2500 desk top switch. (I know, I know. Don’t go on.)

      The web interface is so crap that you can’t even fix a static address on the management vlan.

      Apparently they have known about this for years.

      The work around is to use the cli except, their example doesn’t actually work.

      So, this morning, I am having to go back ten years in my head, armed with the eighty odd page manual, and do the fix myself.

      Utter crap!

    2. Brian Miller

      Re: A buffer overflow parsing packets?

      "It's ____ and you can ___ a ___ with ___."

      Lather, rinse, repeat.

      The problem with input parsing is that #1, you need programmers who care about that, and #2, who will care about testing said code. Most of the time, like nearly all of it, #1 and #2 are nowhere to be found, so that old phrase is apt, again.

      This isn't rocket science, but it is computer science that isn't being taught in schools. There are lots of good books about writing parsers, and software engineering for said software. The problem is getting management and programmers to pay attention, before it's headline news.

    3. sanmigueelbeer

      Re: A buffer overflow parsing packets?

      is there no such thing as testing code before shipping anymore

      Cisco has stopped testing codes internally for almost 10 years now. Getting rid of "testers" saved the company some cash.

      Has anyone seen the prices for Cisco's SDA? It is not cheap.

  2. Mike 137 Silver badge

    "does nobody at Cisco understand sanitizing inputs?"

    Does anyone, anywhere, understand sanitising inputs? Quite probably yes.

    So why is this the most common entry point for network appliance and web compromises for over 30 years?

    The majority of testing I've observed professionally is restricted to checking that expected inputs work. Checking for the unexpected is understandably harder as the field is typically much larger, but it's not impossible. Just takes resources and time, which are generally frowned on by the bean counters. There must be many developers that have to grit their teeth at products they feel to be unfinished being pushed out the door.

  3. Lee D Silver badge

    Well, obviously.

    It's software.

    General rule is that if you don't want it to be possible, you have to isolate it using hardware. If you don't want arbitrary memory access for a process, for instance, there's no point in relying on the OS to do that for you. You have to have a hardware mechanism to enforce that.

    Software-defined-anything is just software, vulnerable to all the same problems that all software has.

  4. This post has been deleted by its author

  5. Anonymous Coward
    Anonymous Coward

    Bugs, or features?

    US company, Crypto AG, etc. I'm sure you can see where I'm going with this..

    Just thought I'd give you some paranoia to get you through the weekend.

    :)

  6. Claptrap314 Silver badge

    Let's see what the judges think...

    9.8, 9.9, 9.8, 9.6

    Those are some really solid scores there. This team might easily win the gold with those numbers...

  7. pc-fluesterer.info
    Pirate

    oh shit, another backdoor uncovered

    who does believe this was not a backdoor?

    1. jake Silver badge

      Re: oh shit, another backdoor uncovered

      Ol' Bill O'Ockham says no.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like