Cisco Patches Critical Flaws in Switch and Firewall OS

Cisco Systems patched another series of critical flaws this week, this time in its FXOS and NX-OS operating systems, which are used by switches, firewalls, security appliances and unified computing systems.

The Cisco Firepower eXtensible Operating System (FXOS) is used in Cisco’s Firepower security appliances and firewalls, while NX-OS is used in the company’s Nexus-series Ethernet switches and MDS-series multilayer storage area network switches.

Cisco fixed five critical arbitrary code execution vulnerabilities this week, one that only affects NX-OS and four that affect both NX-OS and FXOS. In addition, the company also fixed 14 highly rated vulnerabilities in NX-OS, six of which six also impact FXOS. Five other vulnerabilities that only affect FXOS or specific devices have also been patched.

One of the critical vulnerabilities, CVE-2018-0301, was located in the NX-API feature of Cisco NX-OS and could be exploited by sending specially crafted HTTP or HTTPS packets to a device’s management interface with the NX-API enabled. This could result in arbitrary code execution as root.

The four other arbitrary code execution vulnerabilities, CVE-2018-0312, CVE-2018-0314, CVE-2018-0304 and CVE-2018-0308, were all located in the Cisco Fabric Services component of both Cisco FXOS and NX-OS. Attackers could exploit these flaws by sending a maliciously crafted Cisco Fabric Services packets to an affected device.

The impact of the other 19 high-risk vulnerabilities patched in NX-OS, FXOS or in individual Nexus, Firepower and UCS (Unified Computing System) devices, range from denial-of-service to privilege escalation, unauthorized administrative accounts, arbitrary code execution and command injection.

A number of other Cisco products also received patches for medium-risk flaws. These include Cisco TelePresence Video Communication Server, Cisco Unified Communications, NVIDIA TX1 Boot ROM, Cisco Meeting Server, Cisco Firepower Management Center, Cisco 5000 Series Enterprise Network Compute System, Cisco UCS E-Series Servers and Cisco AnyConnect Secure Mobility Client for Windows Desktop.

Google Play Adds Verification Data to Apps to Make Offline Distribution Safer

Even though Google has gotten pretty good at detecting and removing malware from Google Play, the Android malware ecosystem continues to thrive because users from many regions of the world have restricted or no access to the official app store and are accustomed to obtaining apps from alternative sources.

Google is now trying to partially combat this by making it easier for users to tell if an app that someone else shared with them offline or through other channels is the same one as the version that passed validation on Google Play.

“We are now adding a small amount of security metadata on top of APKs to verify that the APK was distributed by Google Play,” James Bender, product manager for Google Play, said in a blog post. “One of the reasons we’re doing this is to help developers reach a wider audience, particularly in countries where peer-to-peer app sharing is common because of costly data plans and limited connectivity.”

Apps that will be validated in this way will be added to a user’s Play Library even if they’re obtained through a peer-to-peer channel. This means they will be able to receive automatic updates when the phone comes back online or connects to Google Play.

Even with this new security metadata, it’s safer for users to only install apps through Google Play if they have access to the store. The option to allow the installation of applications from “unknown sources” should be kept disabled on devices and users should be wary of APKs received via emails or through advertisements.

“No action is needed by developers or by those who use your app or game,” Bender said. “We’re adjusting Google Play’s maximum APK size to take into account the small metadata addition, which is inserted into the APK Signing Block. In addition to improving the integrity of Google Play’s mobile app ecosystem, this metadata will also present new distribution opportunities for developers and help more people keep their apps up to date.”

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin