Cisco is urging customers to install an update that fixes a high-severity issue affecting its Network Assurance Engine (NAE) for managing data-center networks. More security news Forgot password? Five reasons why you need a password manager Winnie The Pooh takes over Reddit due to Chinese investment, censorship fears Should you be scared of your laptop’s webcam? iPhone snooping: Apple cracks down on apps that secretly record taps, keystrokes The bug, tracked as CVE-2019-1688, could allow an attacker to use a flaw in the password-management system of NAE to knock out an NAE server and cause a denial of service. NAE is an important data-center network management tool that helps admins assess the impact of network changes and avoid application outages. As Cisco explains, the flaw is due to user passwords changes from the web-management interface failing to propagate to the command-line interface (CLI), leaving the old default password in place in the CLI. The issue only affects NAE version 3.0 (1), so older versions aren’t affected. A local attacker could exploit the bug by authenticating with the default admin password on the CLI of an affected server. From there, the attacker could view sensitive information and bring down the server. The bug is fixed in Cisco NAE Release 3.0(1a) but Cisco notes that to fix the issue properly customers should change the admin password after upgrading to that version. Cisco also has a workaround for the bug, which involves changing the default admin password from the CLI. However, Cisco recommends… [Read full story]
ZDNet is a business technology news website published by CBS Interactive, along with TechRepublic. The brand was founded on April 1, 1991, as a general interest technology portal from Ziff Davis and evolved into an enterprise IT-focused online publication owned by CNET Networks.