Cisco's 6 Unpatched Internal Servers Supporting Virtual Networking Service Compromised

Cisco | June 01, 2020

  • Cisco gave no details on exactly what, if any, damage was done as a result of the attacks, but said a "limited set of customers" was impacted.

  • Despite this warning, Cisco placed six servers in service on May 7 that were not patched against these vulnerabilities, and the servers were immediately attacked.

  • The vulnerabilities in SaltStack were originally uncovered by security firm F-Secure.


Six internal servers that Cisco uses to support its virtual networking service were compromised earlier this month after the company failed to patch two SaltStack zero day vulnerabilities, according to a security advisory sent to customers this week.

Cisco gave no details on exactly what, if any, damage was done as a result of the attacks, but said a "limited set of customers" was impacted. If exploited, these zero-day vulnerabilities potentially could have allowed an attacker to gain full remote code execution within the servers.

In its Thursday advisory, Cisco states that on April 29, the Salt Open Core team informed those using the SaltStack open-source configuration management and orchestration tool about two critical-rated vulnerabilities, an authentication bypass flaw, CVE-2020-11651, and a directory traversal problem, CVE-2020-11652.

Read More: Virtualized Desktop Infrastructure and Storage Solutions Driving Intel's Optane Memory & Storage Sales

Despite this warning, Cisco placed six servers in service on May 7 that were not patched against these vulnerabilities, and the servers were immediately attacked, the company acknowledges.

"A software component of the Cisco Virtual Internet Routing Lab service was affected by a third-party software vulnerability that was disclosed in late April. Cisco applied the patch in May, and a limited set of customers were impacted by exploitation attempts of the vulnerability," a company spokesperson tells Information Security Media Group.

SaltStack Vulnerabilities

The vulnerabilities in SaltStack were originally uncovered by security firm F-Secure, which describes them as allowing an attacker "to bypass all authentication and authorization controls and publish arbitrary control messages, read and write files anywhere on the 'master' server file system and steal the secret key used to authenticate to the master as root. The impact is full remote command execution as root on both the master and all minions that connect to it."

SaltStack published its own advisory on April 20 and patched the vulnerabilities the following week with the release of versions 2019.2.4 and 3000.2, Alex Peay, a senior vice president at SaltStack, tells ISMG.

Cisco's six servers that were compromised are used to support Internet Routing Lab Personal Edition, or VIRL-PE, and Modeling Labs Corporate Edition, or CML, a platform that enables engineers to emulate various Cisco operating systems, including IOS, IOS XR, and NX-OS, Cisco says in the advisory. The servers are:

• us-1.virl.info

• us-2.virl.info

• us-3.virl.info

• us-4.virl.info

• vsm-us-1.virl.info

• vsm-us-2.virl.info

The exploitability of the vulnerabilities in the six servers depends upon how the products that the servers' support are enabled. The company advises those using Cisco CML and Cisco VIRL-PE software releases 1.5 and 1.6, which have the salt-master service reachable on TCP ports 4505 and 4506, to inspect the software for compromise, re-image it and then patch it with the latest update.

F-Secure described the unpatched vulnerabilities as particularly easy to exploit.

"We expect that any competent hacker will be able to create 100% reliable exploits for these issues in under 24 hours," F-Secure says.

Attackers Looked for Easy Exploits

Peay of SaltStack added that exploits immediately began to show up after the patches were released and publicized as malicious actors attempted to take advantage of the zero-day vulnerabilities before companies were able to install patches.

Scott Caveza, research engineering manager at the security firm Tenable, offers a quick rundown of how threat actors use patch information to crack a system.

 

Attackers will often review the code and look at what changes have been made in a patch or release update to determine how the fix was applied. Then working backwards, they can use this information to develop a working exploit and begin scanning and probing for targets across the internet,

Scott Caveza, research engineering manager at the security firm Tenable.



SaltStack went to great lengths to communicate the problem to its users and offer tools so mitigation efforts were conducted properly, Peay says. This included direct assistance for those lacking skills handling SaltStack along with a service that would scan to validate that the patches were properly applied, he adds.

Some security experts question why Cisco did not immediately patch its servers when it was notified of the zero day vulnerabilities.

 

There are management tools that can help with the automation of checking, but even that requires someone setting it up to check for a version of software on a set of servers, so in the end it's the IT person who has to do the work,

Jayant Shukla, CTO and co-founder of K2 Cyber Security.



Caveza of Tenable notes identifying systems that need a patch involves IT staff checking the version of SaltStack and verifying that versions 2019.2.4, 3000.2 or later have been applied. He points out that plugins are available to assist with this task.

Read More: How Virtualization Helps Businesses Overcome Cloud Migration Problems

About Cisco

Cisco enables people to make powerful connections--whether in business, education, philanthropy, or creativity. Cisco hardware, software, and service offerings are used to create the Internet solutions that make networks possible--providing easy access to information anywhere, at any time.

Spotlight

Enterprises in the service industry are now widely cognisant of the applicability of robotic process automation (RPA) techniques to achieve significant productivity gains while being cost conscious. RPA’s ability to reduce processing time and errors, enhance scalability and compliance, and enable staff to focus on value-adding activities rather than repetitive tasks has been vindicated across industries and is now widely accepted. Firms which embraced these automation techniques early in the game have been able to gain significant benefits.


Other News
VIRTUAL SERVER INFRASTRUCTURE

AudioEye Appoints David Moradi as Chief Executive Officer

AudioEye | January 17, 2022

The Board of Directors of AudioEye, Inc., an industry-leading digital accessibility platform delivering website accessibility compliance to businesses of all sizes, has appointed David Moradi as its Chief Executive Officer (CEO), effective January 13th, 2022. David Moradi has served as the Company's interim CEO over the last 18 months, a period of significant progress in the Company's transition to a highly scalable platform with industry-leading gross margins and considerable improvements in the Company's product, technology, and go-to-market. Over the past two years, David has skillfully, tenaciously, and tirelessly led AudioEye's transformation into a higher margin and more scalable enterprise with a truly differentiated product that brings transparency to the issues of web accessibility. He sets the tone with his relentless pursuit of excellence and his passion for eradicating all barriers to digital accessibility, and he has assembled an extremely strong leadership team to help achieve this mission. We value not only his strong leadership and commitment but also the significant personal financial investment he has made in AudioEye, which we believe strengthens the alignment of interest between management and other shareholders." Carr Bettis, Executive Chairman of AudioEye David Moradi is an entrepreneur, investor, and advisor to numerous market-leading technology companies. Moradi is Co-Founder and Executive Chairman of First Contact Entertainment, a leading virtual reality (VR) game development studio. He is also the founder and CEO of Sero Capital LLC, a family office that invests in all stages of a company's lifecycle, from angel investing to late-stage private investments. Before First Contact and Sero Capital, Moradi was the founder and CEO of Anthion Management, a technology fund with peak assets exceeding one billion dollars. Before Anthion, Moradi was a Portfolio Manager at firms including Pequot Capital Management and Soros Fund Management. Before that, he was a special situations analyst at Imperial Capital. Moradi holds a B.A. in psychology from the University of California, Los Angeles. He is also the founder and Chairman of the David Moradi Foundation, a charitable foundation supporting education and veterans. Moradi added, "My tenure at AudioEye began as Chair of the Strategic Committee of the board of directors in 2019, with the goal of building a scalable product with high gross margins. We have made tremendous progress on these initiatives, and I am excited to continue working with one of the best leadership teams I've worked alongside, as well as exceptional employee talent. We have hired over 90 people over the last 18 months, including every member of leadership, and now have the strongest team at any point in the Company's history." About AudioEye AudioEye is an industry-leading digital accessibility platform delivering ADA and WCAG compliance at scale. By combining easy-to-use technology and subject matter expertise, AudioEye helps companies and content creators solve every aspect of web accessibility — from finding and resolving issues to navigating legal compliance, to ongoing monitoring and upkeep. Trusted by the FCC, ADP, SSA, Samsung, and others, AudioEye delivers automated remediations and continuous monitoring for accessibility issues without making fundamental changes to website architecture, source code, or browser-based tools. Join us on our mission to eradicate barriers to digital access.

Read More

VIRTUAL SERVER INFRASTRUCTURE

Nervos Launches Cross-chain Bridge to Binance Smart Chain

Nervos | January 15, 2022

Nervos announced the launch of a new cross-chain bridge with Binance Smart Chain (BSC), growing its multi-chain strategy as the network rapidly expands its booming DeFi ecosystem. Starting today, BSC assets can be moved across to the Nervos ecosystem, and developers and projects building on BSC will be able to use their existing codebases to begin porting their decentralized applications (dApps) to Nervos, enabling them to grow their user reach and brand awareness. Users in the BSC ecosystem will also be able to take advantage of yield farming opportunities available through YokaiSwap, the first decentralized exchange (DEX) to launch on Nervos. Expanding the DeFi Ecosystem The completion of the Nervos x BSC bridge marks a significant milestone in Nervos' DeFi growth, as it unlocks new options given BSC's Total Value Locked (TVL), which is the biggest of any blockchain outside of Ethereum. Developers and teams building on BSC can port their dApps to Nervos and gain access to projects, tools, and resources available in a burgeoning network focused on DeFi development. Additionally, dApps on Nervos such as YokaiSwap, a next-generation interoperable AMM decentralized exchange (DEX) built on Nervos, will gain access to liquidity through the BSC ecosystem. The bridge is made possible through Force Bridge, a trustless cross-chain bridge that allows for seamless transactions between the Nervos ecosystem and other public chains, and Godwoken, the first EVM-compatible Layer 2 blockchain on the network. Nervos' Layer 1 provides security and scalability, allowing support for future layers and making it easier to build EVM-compatible cross-chains bridges, such as the Nervos x BSC bridge, from the Nervos Network to other chains. Bridges are among the most fundamental building blocks of truly impactful blockchain applications. By enabling cross-chain interoperability with BSC, we're unlocking an immense amount of value that can now be transacted in the Nervos ecosystem." Chris Khan, Senior Product Manager at Nervos Seamless Token Transfers Nervos x BSC bridge will enable the seamless transfer of tokens across the networks. At launch, Binance Coin (BNB) and Binance USD (BUSD), the native token and stablecoin of the Binance ecosystem respectively, will be supported for asset transfers and cross-chain swaps, with support for more BEP-20 tokens to come in the future. Yield Farming on YokaiSwap As part of their expanded access to dApps in the Nervos ecosystem, BSC users will also be able to receive over 500% annual percentage rate (APR) incentives on YokaiSwap through yield farming. As an Automated Market Maker (AMM), YokaiSwap enables users to easily and efficiently swap $CKB and any whitelisted token on the Ethereum network, as well as BNB and BUSD. Starting January 15, 2022, BNB/CKB and BNB/YOK trading pairs will be listed on YokaiSwap and available for yield farming opportunities. About Nervos The Nervos Network is a collection of protocols and public blockchain ecosystem aiming to solve the biggest challenges facing blockchains like Bitcoin and Ethereum today. The Nervos Common Knowledge Base (CKB) is the layer 1, proof of work, public, permissionless blockchain protocol of the Nervos Network. It allows any crypto-asset to be stored with the security, immutability, and the permissionless nature of Bitcoin while enabling smart contracts and layer 2 scaling. Its unique crypto-economic model is designed to better align the interests of users, developers, and miners as compared to first-generation blockchains. About Binance Smart Chain Binance Smart Chain (BSC) is a sovereign smart contract blockchain delivering Ethereum Virtual Machine (EVM) compatible programmability. Designed for lightning transaction speeds and low transaction fees while adding Smart Contracts functionality for dApps - BSC tops in infrastructure performance as the biggest DeFi blockchain with 100M+ users.

Read More

SERVER VIRTUALIZATION

Scale Computing Named a Finalist in Storage Magazine, SearchStorage 2021 Products of the Year Awards

Scale Computing | January 27, 2022

Scale Computing, a market leader in edge computing, virtualization, and hyperconverged solutions, announced that its HC3 for Video Surveillance has been selected as a finalist in TechTarget’s Storage Magazine and SearchStorage.com’s annual Products of the Year Awards for 2021. TechTarget named Scale Computing’s HC3 Video Surveillance, a Milestone validated solution, as a finalist in the Hyperconverged & Composable Infrastructures category. In its announcement, SearchStorage highlighted that Scale Computing’s HC5250D-V appliance “is purpose-built to be the infrastructure for video management systems and building automation systems. The product combines the high availability, simplicity, and scalability of Scale Computing's popular HC3 family. Video surveillance is one of the most prevalent edge uses, and this product fits into a small footprint.” There is a growing need for edge computing to support an application-driven world as technology continues to extend its way into every part of the business. The need for video surveillance implementations are critical to business security and monitoring, and traditional video management systems simply aren’t enough for organizations today. We are committed to delivering innovative solutions, like video surveillance and HC3 Edge technology, to bring simple, available, and affordable infrastructure for applications in places where IT resources are impossible.” Jeff Ready, CEO and co-founder of Scale Computing Organizational demands for video surveillance and security systems continue to evolve to ensure assets, facilities, and people are protected. Scale Computing solves the challenge and complexity of virtualization deployments of video surveillance and access control applications for both customers and systems integrators alike. Verified to run on the most popular VMS solutions including Milestone, Digital Watchdog, and Axis, the HC3 Video Surveillance solution combines the scalability, simplicity, and high availability of Scale Computing’s HC3 family. This news follows exciting award wins for the company, including: Scale Computing’s HC3 Video Surveillance named a winner for the 2021 CRN Tech Innovator Awards in the Edge Computing category. Scale Computing named on CRN’s 2021 Edge Computing 100 list. Winner in both the Edge Computing category and the Converged/Hyperconverged Infrastructure category, of the 2021 CRN Annual Report Card (ARC) Awards. This is the third consecutive year Scale Computing has been recognized as a CRN ARC Award winner. Scale Computing HC3 received two TrustRadius 2021 Top Rated Awards, in Hyperconverged Infrastructure and Server Virtualization. Scale Computing received a 5-Star rating in CRN’s 2021 Partner Program Guide. The Storage Magazine 2021 Products of the Year Awards recognizes winners in five categories: Backup and Disaster Recovery Hardware, Software and Services; Cloud Storage; Disk and Disk Subsystems; Hyperconverged and Composable Infrastructures, and Storage System and Application Software. All enterprise storage products were judged based on technological innovation, performance, ease of integration, ease of use and manageability, functionality, and value. About Scale Computing Scale Computing is a leader in edge computing, virtualization, and hyperconverged solutions. Scale Computing HC3 software eliminates the need for traditional virtualization software, disaster recovery software, servers, and shared storage, replacing these with a fully integrated, highly available system for running applications. Using patented HyperCore technology, the HC3 self-healing platform automatically identifies, mitigates, and corrects infrastructure problems in real-time, enabling applications to achieve maximum uptime. When ease-of-use, high availability, and TCO matter, Scale Computing HC3 is the ideal infrastructure platform.

Read More

VMWARE

Broadcom in Talks to Acquire Cloud Company VMware

VMware | May 23, 2022

Broadcom Inc. is in talks to acquire VMware Inc., the cloud-computing company backed by billionaire Michael Dell, according to people familiar with the matter, setting up a blockbuster tech deal that would vault the chipmaker into a highly specialized area of software. The discussions are ongoing and there’s no guarantee they will lead to a purchase, said the people, who asked not to be identified because the matter isn’t public. VMware currently has a market valuation of about $40 billion. Assuming a typical premium, the potential deal price would be higher, though the terms under consideration couldn’t be learned. Shares in VMware rose 15% in premarket trading on Monday, which would give the company a market value of about $46 billion. Broadcom, which has a valuation of about $222 billion, fell 2.4%. The transaction would extend a run of acquisitions for Broadcom Chief Executive Officer Hock Tan, who has built one of the largest and most diversified companies in the chip industry. Software has been a key focus in recent years, with Broadcom buying CA Technologies in 2018 and Symantec Corp.’s enterprise security business in 2019. A representative for VMware declined to comment. A representative for Broadcom wasn’t available for comment. “Investors have been increasingly focused on Broadcom’s appetite for another strategic or platform enterprise software acquisition—especially given the recent compression in software valuation, “ Wells Fargo analysts wrote after Bloomberg News’s report. “An acquisition of VMware would be considered as making strategic sense; consistent with Broadcom’s focus on building out a deepening enterprise infrastructure software strategy.” Broadcom makes a wide range of electronics, with its products going into everything from the iPhone to industrial equipment. But data centers have become a critical source of growth, and bulking up on software gives the company more ways to target that market. Broadcom was previously in talks to acquire SAS Institute Inc., a closely held software company valued at $15 billion to $20 billion. But those discussions ended last year without a deal.

Read More

Spotlight

Enterprises in the service industry are now widely cognisant of the applicability of robotic process automation (RPA) techniques to achieve significant productivity gains while being cost conscious. RPA’s ability to reduce processing time and errors, enhance scalability and compliance, and enable staff to focus on value-adding activities rather than repetitive tasks has been vindicated across industries and is now widely accepted. Firms which embraced these automation techniques early in the game have been able to gain significant benefits.

Resources