VMware, Cisco Systems issue security warnings

IT administrators have been warned by two of the biggest suppliers of enterprise products of security vulnerabilities.

VMware issued an “important” alert this week for updates after finding 30 of its products are vulnerable to the recently discovered Linux kernel TCP Selective Acknowledgement (SACK) vulnerabilities. Those bugs could lead to a distributed denial of service attack against those products, the company said.

Meanwhile Cisco Systems said it is updating the firmware on a number of its Small Business 250, 350, 350X switches and 550X as well as the FindIT Network Probe after researchers at a security firm discovered that by using a third party software library security certificates from a Huawei Techonologies subsidiary had been included in the Cisco products.

VMware said there are two uniquely identifiable vulnerabilities associated with the Linux kernel implementation of SACK:

  • CVE-2019-11477 – SACK Panic – A sequence of SACKs may be crafted such that one can trigger an integer overflow, leading to a kernel panic. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5.
  • CVE-2019-11478 – SACK  Excess Resource Usage – a crafted sequence of SACKs will fragment the TCP retransmission queue, causing resource exhaustion. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.

The good news is that these aren’t easy to exploit: An attacker must have network access to an affected system including the ability to send traffic with low MSS values to the target.  Successful exploitation of these issues may cause the target system to crash or significantly degrade performance.

The bad news is some devices can at the moment be updated, while others, including some VMware Virtual Appliances, need workarounds by either disabling SACK or by modifying the built-in firewall (if available) in the base operating system of the product to drop incoming connections with a low MSS value.

Affected products are VMware AppDefense, Container Service Extension, Enterprise PKS, Horizon, Hybrid Cloud Extension, Identity Manager, Integrated OpenStack, NSX, Pulse Console, SD-WAN, Skyline Collector, Unified Access Gateway, vCenter Server Appliance, vCloud, vRealize and vSphere products.

The Cisco problem is an example of what can go wrong when software developers use third party or open source libraries in the products, which is common, and shows the need for thorough testing before releasing final code.

The problem was detected by SEC Technologies, which ran its IoT Inspector tool on the firmware in a Cisco 250 Smart Switch. The firmware contained a few X.509 certificates and a corresponding private key in a root folder usually intended for SSH keys, not certificates. The certificates were issued by a gary.wu1(at)huawei.com from  Futurewei Technologies, which is a U.S.-based subsidiary of Huawei Technologies.

SEC alerted Cisco, which did an investigation. The certificates and private key were part of the OpenDaylight GitHub open source package, which is used in all Cisco 250/350/350X/550X Series switches are affected. Developers used the certificates for testing the Cisco FindIT Network Probe that comes with the devices.

In its advisory Cisco said the inclusion of the certificates and keys from the OpenDaylight open source package in shipping software was “an oversight by the Cisco FindIT development team. Normally all shipping versions of the Cisco FindIT Network Probe use dynamically created certificates. The latest firmware releases remove the offending certificates.

Separately Cisco said it was also fixing the inclusion of empty password hashes for the users root and user and the unneeded gdbserver and tcpdump packages in new firmware for a number of 250, 350 and 550 switches.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now