from the patchwork dept.
Arthur T Knackerbracket has found the following story:
Cisco has patched nine serious remote code execution vulnerabilities in the SNMP subsystem running in its IOS and IOS XE software. The vulnerabilities had been publicly disclosed.
Cisco notified users of the availability of patches after releasing its initial advisory on the matter on June 29, warning of the public disclosure as well as providing workarounds.
All releases of Cisco IOS and IOS XE software are affected, as are all versions of SNMP (1, 2c and 3), the company said. A request for comment from Cisco on the source of the public disclosures was not returned in time for publication.
Nine buffer overflow vulnerabilities (CVE-2017-6736-CVE-2017-6744) were patched, each allowing a remote attacker without authentication to use specially crafted SNMP packets to exploit the flaws and either execute code remotely or cause a system to reload, Cisco said.
Systems running SNMP version 2c or earlier can be exploited only if an attacker knows the SNMP read-only community string for the particular system. For SNMP version 3, an attacker would have to have credentials for a targeted system to carry out an attack.
"A successful exploit could allow the attacker to execute arbitrary code and obtain full control of the affected system or cause the affected system to reload," Cisco said in its advisory.
-- submitted from IRC