Cisco Blogs


Cisco Blog > Threat Research

Vulnerability Spotlight: MiniUPnP Internet Gateway Device Protocol XML Parser Buffer Overflow

Vulnerability discovered by Aleksandar Nikolic of Cisco Talos. Post authored by Earl Carter and William Largent

Talos is disclosing the discovery of an exploitable buffer overflow vulnerability in the the MiniUPnP library TALOS-2015-0035 (CVE-2015-6031). The buffer overflow is present in client-side XML parser functionality in miniupnpc. A specially crafted XML response can lead to a buffer overflow, on the stack, resulting in remote code execution.

This miniupnpc buffer overflow is present in client-side part of the library. The vulnerable code is triggered by an oversized XML element name when applications using miniupnpc library are doing initial network discovery upon startup, while parsing the replies from UPNP servers on the local network.

MiniUPnP is commonly used to allow two devices which are behind NAT firewalls to communicate with each other by opening connections in each of the firewalls, commonly known as “hole punching”. Various software implementations of this technique enable various peer-to-peer software applications, such as Tor and cryptocurrency miners and wallets, to operate on the network.

When parsing the UPNP replies, the XML parser is initialized and `parsexml()` function is called:

1miniupnp

Read More »

Tags: , , , ,

Cisco to Expand Security Consultancy Services with Acquisition of Portcullis

There’s no question that cybersecurity is top-of-mind for Fortune 500 companies. This, compounded by a significant global security talent shortage, contributes to the burgeoning need for security companies to deliver both a comprehensive technology portfolio and a strong security consultancy service practice.

With this as the backdrop, Cisco is pleased to announce its intent to acquire Portcullis Computer Security, Ltd., a privately held UK-based consultancy that provides cybersecurity services to enterprise clients and the government sector. Portcullis’ range of security consulting services includes assessments to identify vulnerabilities, forensic testing, first responder training to prepare for attacks, policy review and creation, security awareness training, and overall security posture audits. Together, Cisco and Portcullis will provide strategic guidance to our clients to help them with their most difficult security challenges.

Through this acquisition, we increase our ability to offer robust security, risk and compliance services to help clients overcome operational and technical security challenges, anticipate and respond to new threats, and drive new business.

The acquisition of Portcullis also complements the talent and skills Cisco gained through the Neohapsis acquisition earlier this year. Portcullis has a long history of providing security consulting services in Europe, with an extensive customer network, and a respected reputation for penetration testing of web applications and infrastructure. When paired with Cisco’s existing security services portfolio, Portcullis will help accelerate Cisco’s security services business and more quickly expand its security consulting services outside of North America.

The Portcullis team will join the Cisco Security Solutions organization under the leadership of Vice President James Mobley. The acquisition is expected to be complete in the second quarter of fiscal year 2016.

 

Tags: , , , , , , ,

It’s That Time Again—Announcing the Cisco IOS & XE Software Security Advisory Bundled Publication

Today, we released the last Cisco IOS & XE Software Security Advisory Bundled Publication of 2015. As a reminder, Cisco discloses IOS vulnerabilities on a predictable schedule (the fourth Wednesday of March and September each calendar year).  Last cycle, we began including Cisco Security Advisories addressing vulnerabilities in Cisco IOS XE Software in this publication.  This change was a direct result of your feedback, and we hope the timeline and additional “bundling” continues to allow organizations to plan and ensure resources are available to analyze, test, and remediate vulnerabilities in their environments.

Today’s edition of the Cisco IOS & XE Software Security Advisory Bundled Publication includes three advisories that affect the following technologies:

  • IPv6 First-Hop Security
  • SSH Version 2 (SSHv2)
  • Cisco IOS XE Software

You may recall that Cisco announced enhancements to the Cisco IOS Software Checker last year. As my colleague Kevin Saling shared, the tool can display first-fixed software release data based on the combination of Cisco IOS Software releases and Cisco Security Advisories selected. Users can now quickly identify the first release that addresses all vulnerabilities disclosed in the selected advisories.   Read More »

Tags: , , , ,

Welcome Michelle Dennedy, Cisco’s Chief Privacy Officer

 “It’s our thesis that privacy will be an integral part of the next wave in the technology revolution and that innovators who are emphasizing privacy as an integral part of the product life cycle are on the right track.” —The Privacy Engineer’s Manifesto, 2014

Privacy in an always and increasingly connected world is a complex topic. Does privacy mean the same thing it did 20—or even 10 years ago—before we all used smartphones and social media? How does data that we generate in our connected day tell a story, become monetized, and get purposed and repurposed? How do vendors ensure that privacy is designed into products and services?

These are issues that Michelle Finneran Dennedy, a leading authority on privacy, corporate policies, and the protection of the Internet, is passionate about—and so is Cisco. So I’m very pleased to say that Michelle joined Cisco as Vice President and Chief Privacy Officer today. Simply stated, welcome, Michelle! Read More »

Tags: , , , ,

IT Security: When Maturity is Overrated

In so many parts of life, the passing of time is a benefit. Wine and whisky mature, intelligence is gained, and friendships grow stronger. For those of us working in IT security, however, the passing of time brings new challenges. Prolonging the use of older technology exponentially increases risk and the resulting problems can cost more than recommended maintenance/upgrades.

Let’s consider three facts:

  • Fact 1: IT is fundamental to the economy, safety, health, and well-being of the world’s societies. Today’s IT systems support everything from advanced medical research to a country’s economic growth.
  • Fact 2: Attacks on IT will continue to evolve in terms of efficiency, complexity, and deviousness. The need for better prevention, detection, and remediation recovery from cyber attacks continues to grow.
  • Fact 3: IT devices are developed to perform securely within the known constraints and challenges of their launch environment, with flexibility for some upgrades. But at some point, all technology reaches a lifecycle limit. Quite often that limit is less about the device’s ability to “just power up” and more about it doing so securely.

Consider these facts together and what is the conclusion?

Read More »

Tags: ,