Bad password check lets anyone log into Cisco WLAN controls • The Register

2022-05-14 09:45:42 By : Mr. Willy Kuan

Cisco on Tuesday issued a critical security advisory for its Wireless LAN Controller (WLC), used in various Cisco products to manage wireless networks.

A vulnerability in the software's authentication code (bug type CWE-303) could allow an unauthenticated remote attacker to bypass authentication controls and login to the device via its management interface.

"This vulnerability is due to the improper implementation of the password validation algorithm," Cisco's advisory says. "An attacker could exploit this vulnerability by logging in to an affected device with crafted credentials.

"A successful exploit could allow the attacker to bypass authentication and log in to the device as an administrator."

The advisory refers to the vulnerability as CVE-2022-20695 and notes that if the flaw is successfully exploited, the attacker can gain administrator privileges. Cisco has bestowed the vulnerability with a severity rating of 10.0 out of 10.0. That's as bad as it gets for those whose rating scale does not go to 11.0, otherwise known as "the call is coming from inside the house!"

The following Cisco products are affected if they're running Cisco WLC Software Release 8.10.151.0 or Release 8.10.162.0 and have MAC Filter RADIUS Compatibility mode set to Other:

That setting, if not top of mind, can be determined by entering the show macfilter summary command in the wlc command line interface for the device.

Creating a MAC address filter on a WLC offers admins a way to grant or deny access to the WLAN network based on the client MAC address. Cisco WLCs support either local MAC authentication or MAC authentication using a RADIUS server.

The advisory, though dire, does describe potential workarounds for those who don't use MAC filters in their environment. If that's the case, just fire up the CLI and enter config macfilter radius-compat cisco at the wlc prompt.

Even for those who do use macfilters with their Cisco gear, the CLI offers a way out by allowing modification of the macfilter compatibility setting to either cisco or free.

Keep in mind that Cisco is only providing these workarounds for those unable to patch immediately. The network gear biz wants customers to understand that it isn't responsible if mitigation efforts go awry.

"While these workarounds have been deployed and were proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions," the advisory cautions.

Speaking of severe bugs, HP this month updated its Teradici PCoIP client to close off a bunch of libexpat security flaws as well as the OpenSSL DoS hole that we covered earlier.

AI will completely automate the network within five years, Juniper CEO Rami Rahim boasted during the company’s Global Summit this week.

“I truly believe that just as there is this need today for a self-driving automobile, the future is around a self-driving network where humans literally have to do nothing,” he said. “It's probably weird for people to hear the CEO of a networking company say that… but that's exactly what we should be wishing for.”

Rahim believes AI-driven automation is the latest phase in computer networking’s evolution, which began with the rise of TCP/IP and the internet, was accelerated by faster and more efficient silicon, and then made manageable by advances in software.

Astronomers have captured a clear image of the gigantic supermassive black hole at the center of our galaxy for the first time.

Sagittarius A*, or Sgr A* for short, is 27,000 light-years from Earth. Scientists knew for a while there was a mysterious object in the constellation of Sagittarius emitting strong radio waves, though it wasn't really discovered until the 1970s. Although astronomers managed to characterize some of the object's properties, experts weren't quite sure what exactly they were looking at.

Years later, in 2020, the Nobel Prize in physics was awarded to a pair of scientists, who mathematically proved the object must be a supermassive black hole. Now, their work has been experimentally verified in the form of the first-ever snap of Sgr A*, captured by more than 300 researchers working across 80 institutions in the Event Horizon Telescope Collaboration. 

A Tor-hidden website dubbed the Eternity Project is offering a toolkit of malware, including ransomware, worms, and – coming soon – distributed denial-of-service programs, at low prices.

According to researchers at cyber-intelligence outfit Cyble, the Eternity site's operators also have a channel on Telegram, where they provide videos detailing features and functions of the Windows malware. Once bought, it's up to the buyer how victims' computers are infected; we'll leave that to your imagination.

The Telegram channel has about 500 subscribers, Team Cyble documented this week. Once someone decides to purchase of one or more of Eternity's malware components, they have the option to customize the final binary executable for whatever crimes they want to commit.

A Ukrainian man has been sentenced to four years in a US federal prison for selling on a dark-web marketplace stolen login credentials for more than 6,700 compromised servers.

Glib Oleksandr Ivanov-Tolpintsev, 28, was arrested by Polish authorities in Korczowa, Poland, on October 3, 2020, and extradited to America. He pleaded guilty on February 22, and was sentenced on Thursday in a Florida federal district court. The court also ordered Ivanov-Tolpintsev, of Chernivtsi, Ukraine, to forfeit his ill-gotten gains of $82,648 from the credential theft scheme.

The prosecution's documents [PDF] detail an unnamed, dark-web marketplace on which usernames and passwords along with personal data, including more than 330,000 dates of birth and social security numbers belonging to US residents, were bought and sold illegally.

David Harville, eBay's former director of global resiliency, pleaded guilty this week to five felony counts of participating in a plan to harass and intimidate journalists who were critical of the online auction business.

Harville is the last of seven former eBay employees/contractors charged by the US Justice Department to have admitted participating in a 2019 cyberstalking campaign to silence Ina and David Steiner, who publish the web newsletter and website EcommerceBytes.

Former eBay employees/contractors Philip Cooke, Brian Gilbert, Stephanie Popp, Veronica Zea, and Stephanie Stockwell previously pleaded guilty. Cooke last July was sentenced to 18 months behind bars. Gilbert, Popp, Zea and Stockwell are currently awaiting sentencing.

Just as costs for some components have started to come down, TSMC and Samsung, the two largest contract chip manufacturers in the world, are reportedly planning to increase prices of production, which may affect Nvidia, AMD, Apple, and others that rely on the foundries.

Reports emerged earlier this week stating that Taiwan-based TSMC is planning price hikes in the single-digit percentages for legacy and advanced chip manufacturing technologies next year. Citing industry sources, Nikkei reported that the price hike will be around five to eight percent.

On Friday Bloomberg reported that South Korea's Samsung is planning to raise prices for chip designers by 15-20 percent this year, citing industry sources. Legacy nodes will be hit hardest, and the new pricing will come into effect in the second half of the year.

Finnish open-source-as-a-service provider Aiven received $210 million in funding this week, adding $1 billion to its nominal valuation in just nine months.

The Series D cash injection – led by Eurazeo, and joined by funds and accounts managed by BlackRock as well as existing investors IVP, Atomico, Earlybird, World Innovation Lab, and Salesforce Ventures – follows $60 million Series C funding which valued the firm at $2 billion.

The latest investment round values the company at $3 billion. It's remarkable considering it only supports open-source software and was worth $800 million when it got its first $100 million tranche of Series C funding in March last year.

Black Hat Asia Software made unsafe by dependencies should be fixed without users needing to interact with the source of the problem, according to US National Cyber Director Chris Inglis, who serves in the Executive Office of the President.

Speaking to The Register at the Black Hat Asia conference in Singapore on Friday, Inglis said that when a faulty component in a car needs to be replaced, the manufacturer who chose that component takes responsibility for securing safe parts and arranging their installation. He contrasted that arrangement with the fix for the Log4j bug, which required users to seek assistance from both vendors that used the open-source logging code and source software from the Log4j project itself.

Inglis wants vendors to take responsibility for their choices so that addressing security issues is easier and users' systems – and the US – can achieve better resilience with less effort.

Memory and storage maker Micron Technology has revealed a new business model intended to address the volatility in the memory market that has resulted in sharp swings in pricing over the past several years.

Revealed at Micron's Investor Day 2022 event, the new forward pricing agreements enable a Micron customer to sign a multi-year deal that guarantees them a supply of memory at a predictable price that follows the cost reduction that the chipmaker sees during the lifecycle of a particular product.

Micron's chief business officer Sumit Sadana told Investor Day attendees that the chipmaker has already signed up an unnamed volume customer to one of the new agreements, which the company is currently trying out to see whether it delivers on the expected benefits.

Almost nine in 10 organizations that have suffered a ransomware attack would choose to pay the ransom if hit again, according to a new report, compared with two-thirds of those that have not experienced an attack.

The findings come from a report titled "How business executives perceive ransomware threat" by security company Kaspersky, which states that ransomware has become an ever-present threat, with 64 percent of companies surveyed already having suffered an attack, but more worryingly, that executives seem to believe that paying the ransom is a reliable way of addressing the issue.

The report, available here, is based on research involving 900 respondents across North America, South America, Africa, Russia, Europe, and Asia-Pacific. The respondents were in senior non-IT management roles at companies between 50 and 1,000 employees.

Black Hat Asia Cyber war has become an emerged aspect of broader armed conflicts, commencing before the first shot is fired, cybersecurity expert Kenneth Geers told the audience at the Black Hat Asia conference on Friday.

"Peacetime in cyberspace is a chaotic environment," said Geers, who has served as a visiting professor at Kiev National Taras Shevchenko University, represented the US government at NATO, and held senior roles at the National Security Agency. "A lot of hacking has to be done in peacetime."

Geers said the Russia-Ukraine war demonstrates how electronic and kinetic conflicts interact. Ahead of the Ukraine invasion, Russia severed network cables, commandeered satellites, whitewashed Wikipedia, and targeted military ops via mobile phone geolocations.

The Register - Independent news and views for the tech community. Part of Situation Publishing

Biting the hand that feeds IT © 1998–2022