back to article Cisco scores a perfect CVSS 10 with critical flaw in its wireless system

Cisco is issuing a critical alert notice about a flaw that makes its so-called Ultra-Reliable Wireless Backhaul systems easy to subvert. The weakness – dubbed CVE-2024-20418 and made public yesterday – is with the Unified Industrial Wireless Software that the devices use. Crucially, the flaw is serious enough that a remote …

  1. b0llchit Silver badge
    Megaphone

    Separate networks

    "An attacker could exploit this vulnerability by sending crafted HTTP requests to the web-based management interface of an affected system,"

    And that is why you never ever(*) have any management interfaces accessible on the production network. You create a management network for this purpose that is not accessible from the production network. You still need to patch all the software holes, but it makes network subversion and penetration more difficult.

    (*)and that means never ever while the universe exists.

    1. James O'Shea Silver badge

      Re: Separate networks

      Good luck with that. Accounting will have kittens over the Unjustified Extra Expenses. They will veto it... until _after_ the network gets thumped. And maybe even then.

      1. Doctor Syntax Silver badge

        Re: Separate networks

        Ask for written confirmation that they have read and understood the proposal and accept the risks on behalf of the business. Signatures in their own blood preferred but not essential.

        1. collinsl Silver badge

          Re: Separate networks

          And that it goes on the Company Risk Register so that senior management are also aware of the decision and are tied to it for the inevitable later court cases etc.

        2. An_Old_Dog Silver badge

          Re: Separate networks

          No, no, they are essential.

          "Um, hi, why-do-you-have-a-big-knife?"

          "You will sign these documents ... with your own blood."

      2. DS999 Silver badge

        Re: Separate networks

        If you can't have a entirely separate management network you can at least have a separate subnet for devices able to access those management interfaces. You block it by default in your router, and only allow it from that one subnet, or from a small whitelist of devices (like terminal servers or SSH waypoints)

        1. Anonymous Coward Silver badge
          Holmes

          Re: Separate networks

          If your kit doesn't support VLANs for such segregation, you probably have bigger issues to worry about than a trifling CVSS10 vulnerability.

    2. An_Old_Dog Silver badge

      Re: Separate networks

      When I read CVSS descriptions, the phrases, "a carefully-crafted http packet", and "a carefully-crafted https packet" occur so often that I think it would be safer to dump web admin interfaces and go back to TUIs, accessed via telnet over ssh.

      The idea here is that simpler source is easier to find bugs in, and being fewer lines of code, less-likely to contain/hide bugs.

  2. Anonymous Coward
    Anonymous Coward

    Fort Meade Designed......or would that be NIST Designed.....

    ....revealed ONLY because some diligent third party found out!!

    ....your taxpayer dollar at work....in Fort Meade, at NIST....and of course at Cisco!!

    ....more out there to be found.......why can't we just get a whistleblower to blow the whistle?

    1. Mage Silver badge

      Re: Fort Meade Designed......or would that be NIST Designed.....

      Or CIA mandated backdoor?

    2. Anonymous Coward
      Anonymous Coward

      Re: Fort Meade Designed......or would that be NIST Designed.....

      .......are you getting paid by the dot?

      ....... because they are excessive.......

  3. Anonymous Coward
    Anonymous Coward

    Is there any Cisco equipment that's not a security nightmare?

    Just asking.

    1. Anonymous Coward
      Anonymous Coward

      Re: Is there any Cisco equipment that's not a security nightmare?

      t-shirts.

  4. Anonymous Coward
    Anonymous Coward

    Is there any Cisco kit that's not a security nightmare?

    Just asking.

    1. collinsl Silver badge

      Re: Is there any Cisco kit that's not a security nightmare?

      I'm sure some of their "Small business" series unmanaged switches are relatively secure.

      1. JimBz

        Re: Is there any Cisco kit that's not a security nightmare?

        Risk increases with power.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like