332 replies to this topic

[AplusWebMaster]

FYI...

> http://tools.cisco.c...cationListing.x

Cisco ASA Software - multiple vulns
- http://tools.cisco.c...sa-20141008-asa
2014 Oct 8 - "Summary: Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities:
- Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability
- Cisco ASA VPN Denial of Service Vulnerability
- Cisco ASA IKEv2 Denial of Service Vulnerability
- Cisco ASA Health and Performance Monitor Denial of Service Vulnerability
- Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability
- Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability
- Cisco ASA DNS Inspection Engine Denial of Service Vulnerability
- Cisco ASA VPN Failover Command Injection Vulnerability
- Cisco ASA VNMC Command Input Validation Vulnerability
- Cisco ASA Local Path Inclusion Vulnerability
- Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability
- Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability
- Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability
These vulnerabilities are independent of one another; a release that is affected by one of the vulnerabilities may not be affected by the others... Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available..."
- http://www.securityt....com/id/1030979
CVE Reference: CVE-2014-3382, CVE-2014-3383, CVE-2014-3384, CVE-2014-3385, CVE-2014-3386, CVE-2014-3387, CVE-2014-3388, CVE-2014-3389, CVE-2014-3390, CVE-2014-3391, CVE-2014-3392, CVE-2014-3393, CVE-2014-3394
Oct 9 2014
Impact: Denial of service via network, Disclosure of authentication information, Disclosure of system information, Execution of arbitrary code via network, Modification of user information, User access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to versions 7.2(5.15), 8.4(7.23), 8.6(1.15), 8.7(1.14), 9.0(4.24), 9.1(5.12), 9.2(2.8), and 9.3(1.1) ...
 

Edited by AplusWebMaster, 09 October 2014 - 04:38 AM.

[AplusWebMaster]

FYI...

SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vuln
- http://tools.cisco.c...20141015-poodle
2014 Oct 15 - "Summary: On October 14, 2014, a vulnerability was publicly announced in the Secure Sockets Layer version 3 (SSLv3) protocol when using a block cipher in Cipher Block Chaining (CBC) mode. SSLv3 is a cryptographic protocol designed to provide communication security, which has been superseded by Transport Layer Security (TLS) protocols. By exploiting this vulnerability, an attacker could decrypt a subset of the encrypted communication.
Affected Products: Cisco is evaluating products to determine their exposure to this vulnerability.
Products will be listed in the Vulnerable Products section of this advisory if they fit both the following criteria:
    SSLv3 is supported by the product
    A block cipher in CBC mode is one of the transform sets being offered
Products will be listed in the Products Confirmed Not Vulnerable section of this advisory if they fit either of the following criteria:
    SSLv3 is not supported by the product
    SSLv3 is supported by the product but no block cipher in CBC mode is offered in the transform set...
The list of vulnerable products will be populated as the products are being evaluated..."

Cisco TelePresence Video Communication Server and Cisco Expressway Software Multiple Vulns
- http://tools.cisco.c...sa-20141015-vcs
2014 Oct 15 - "Summary: Cisco TelePresence Video Communication Server (VCS) and Cisco Expressway Software includes the following vulnerabilities:
    Cisco TelePresence VCS and Cisco Expressway Crafted Packets Denial of Service Vulnerability
    Cisco TelePresence VCS and Cisco Expressway SIP IX Filter Denial of Service Vulnerability
    Cisco TelePresence VCS and Cisco Expressway SIP Denial of Service Vulnerability
Succesfull exploitation of any of these vulnerabilities could allow an unauthenticated, remote attacker to cause a reload of the affected system, which may result in a Denial of Service (DoS) condition. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are not available..."
- http://www.securityt....com/id/1031055
CVE Reference: CVE-2014-3368, CVE-2014-3369, CVE-2014-3370
Oct 15 2014
Fix Available:  Yes  Vendor Confirmed:  Yes ...
Impact: A remote user can cause the target system to crash and reload.
Solution: The vendor has issued a fix (X8.2)...

Cisco TelePresence MCU Software Memory Exhaustion Vuln
- http://tools.cisco.c...sa-20141015-mcu
2014 Oct 15 - "Summary: A vulnerability in the network stack of Cisco TelePresence MCU Software could allow an unauthenticated, remote attacker to cause the exhaustion of available memory which could lead to system instability and a reload of the affected system. Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available..."
- http://www.securityt....com/id/1031054
CVE Reference: CVE-2014-3397
Oct 15 2014
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 4.3(2.30)...
The following models are affected:
Cisco TelePresence MCU 4200 Series
Cisco TelePresence MCU 4500 Series
Cisco TelePresence MCU MSE 8420
Impact: A remote user can consume all available memory, causing the system to become unstable and reload.
Solution: The vendor has issued a fix (4.3(2.30))...

Cisco Unified Communications Domain Manager Multiple Vulns
- http://tools.cisco.c...-20140702-cucdm
2014 Oct 13 - Rev. 3.0 - "Summary: Cisco Unified Communications Domain Manager (Cisco Unified CDM) is affected by the following vulnerabilities:
- Cisco Unified Communications Domain Manager Privilege Escalation Vulnerability
- Cisco Unified Communications Domain Manager Default SSH Key Vulnerability
- Cisco Unified Communications Domain Manager BVSMWeb Unauthorized Data Manipulation Vulnerability
Successful exploitation of the Cisco Unified Communications Domain Manager Privilege Escalation Vulnerability or of the Cisco Unified Communications Domain Manager Default SSH Key Vulnerability may allow an attacker to execute arbitrary commands or obtain privileged access to the affected system.
Successful exploitation of the Cisco Unified Communications Domain Manager BVSMWeb Unauthorized Data Manipulation Vulnerability may allow an attacker to access and modify BVSMWeb portal user information such settings in the personal phone directory, speed dials, Single Number Reach, and call forward settings.
Cisco has released free software updates that address the Cisco Unified Communications Domain Manager Privilege Escalation Vulnerability and the Cisco Unified Communications Domain Manager Default SSH Key Vulnerability.
Cisco will provide a free software update for the Cisco Unified Communications Domain Manager BVSMWeb Unauthorized Data Manipulation Vulnerability as soon as the fix is available. Workarounds that mitigate these vulnerabilities are not available. Customers that are concerned about the Cisco Unified Communications Domain Manager BVSMWeb Unauthorized Data Manipulation Vulnerability may apply the mitigation detailed in the "Workarounds" section of this advisory.
Note: Due to an error in the fix of the Cisco Unified Communications Domain Manager Default SSH Key Vulnerability, all Cisco Unified CDM Platform Software releases are vulnerable regardless if a previous patch has been applied due to this security advisory. This advisory has been updated to provide additional information about the fix for the Cisco Unified Communications Domain Manager Default SSH Key Vulnerability..."
Rev 3.0 - 2014-Oct-13 - Added important information regarding fixed versions of the Cisco Unified Communications Domain Manager Default SSH Key Vulnerability.
 

[AplusWebMaster]

FYI...

- http://tools.cisco.c...cationListing.x

Cisco ASA Software - multiple vulns
- http://tools.cisco.c...sa-20141008-asa
Rev 1.1 - 2014 Oct 24 - "Summary: Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities:
- Cisco ASA SQL*NET Inspection Engine Denial of Service Vulnerability
- Cisco ASA VPN Denial of Service Vulnerability
- Cisco ASA IKEv2 Denial of Service Vulnerability
- Cisco ASA Health and Performance Monitor Denial of Service Vulnerability
- Cisco ASA GPRS Tunneling Protocol Inspection Engine Denial of Service Vulnerability
- Cisco ASA SunRPC Inspection Engine Denial of Service Vulnerability
- Cisco ASA DNS Inspection Engine Denial of Service Vulnerability
- Cisco ASA VPN Failover Command Injection Vulnerability
- Cisco ASA VNMC Command Input Validation Vulnerability
- Cisco ASA Local Path Inclusion Vulnerability
- Cisco ASA Clientless SSL VPN Information Disclosure and Denial of Service Vulnerability
- Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability
- Cisco ASA Smart Call Home Digital Certificate Validation Vulnerability
These vulnerabilities are independent of one another; a release that is affected by one of the vulnerabilities may not be affected by the others... Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available..."
Rev1.1 - 2014-Oct-24 - Updated the target date for Cisco ASA Software version 9.3(1.1) and the "Exploitation and Public Announcements" Section.
- https://web.nvd.nist...d=CVE-2014-3382 - 7.8 (HIGH)
- https://web.nvd.nist...d=CVE-2014-3383 - 7.8 (HIGH)
- https://web.nvd.nist...d=CVE-2014-3384 - 7.8 (HIGH)
- https://web.nvd.nist...d=CVE-2014-3385 - 7.8 (HIGH)
- https://web.nvd.nist...d=CVE-2014-3386 - 7.8 (HIGH)
- https://web.nvd.nist...d=CVE-2014-3387 - 7.8 (HIGH)
- https://web.nvd.nist...d=CVE-2014-3388 - 7.8 (HIGH)
- https://web.nvd.nist...d=CVE-2014-3389 - 9.0 (HIGH)
- https://web.nvd.nist...d=CVE-2014-3390 - 6.8
- https://web.nvd.nist...d=CVE-2014-3391 - 6.8
- https://web.nvd.nist...d=CVE-2014-3392 - 8.3 (HIGH)
- https://web.nvd.nist...d=CVE-2014-3393 - 4.3
- https://web.nvd.nist...d=CVE-2014-3394 - 5.0

Cisco IronPort Appliances Telnet Remote Code Execution vuln
- http://tools.cisco.c...120126-ironport
Rev 2.0 - 2014 Oct 16 - "Summary: Cisco AsyncOS Software for Cisco Web Security Appliance (WSA), Cisco Email Security Appliance (ESA), and Cisco Content Security Management Appliance (SMA) contain a vulnerability that may allow a remote, unauthenticated attacker to execute arbitrary code with elevated privileges. Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available..."
Rev2.0 - 2014-Oct-16 - Added important information about Cisco WSA.
See "Software Versions and Fixes": Cisco ESA, SME, WSA
- https://web.nvd.nist...d=CVE-2011-4862 - 10.0 (HIGH)
 

Edited by AplusWebMaster, 24 October 2014 - 06:50 PM.

[AplusWebMaster]

FYI...

- http://tools.cisco.c...cationListing.x

Cisco Small Business RV Series Routers - multiple vulns
- http://tools.cisco.c...-sa-20141105-rv
Nov 5, 2014 - "Summary: The Cisco RV120W Wireless-N VPN Firewall, Cisco RV180 VPN Router, Cisco RV180W Wireless-N Multifunction VPN Router, and Cisco RV220W Wireless Network Security Firewall are affected by the following vulnerabilities:
    Cisco RV Series Routers Command Injection Vulnerability
    Cisco RV Series Routers HTTP Referer Header Vulnerability
    Cisco RV Series Routers Insecure File Upload Vulnerability
These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the others. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available..."
- http://www.securityt....com/id/1031171
CVE Reference: CVE-2014-2177, CVE-2014-2178, CVE-2014-2179
Nov 6 2014
Impact: Execution of arbitrary code via network, Modification of user information, Root access via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Models RV120W, RV180, RV180W, and RV220W...
Solution: The vendor has issued a fix (RV180 firmware version 1.0.4.14, RV180W firmware version 1.0.4.14, RV120W firmware 1.0.5.9). The vendor plans to issue a fix for Cisco model RV220W Wireless Network Security Firewall Release during November 2014...
 

[AplusWebMaster]

FYI...

- http://tools.cisco.c...cationListing.x

Cisco Products - OpenSSL - Multiple Vulnerabilities
- http://tools.cisco.c...0140605-openssl
Rev1.23 - 2014 Nov 12

GNU Bash Environment Variable Command Injection Vulnerability
- http://tools.cisco.c...a-20140926-bash
Rev1.2 - 2014 Nov 12

Cisco IronPort Appliances Telnet Remote Code Execution Vulnerability
- http://tools.cisco.c...120126-ironport
Rev2.0 - 2014 Nov 12
___

Multiple Vulnerabilities in Cisco Small Business RV Series Routers - Updated
- http://tools.cisco.c...-sa-20141105-rv
Rev.1.1 - 2014 Nov 20 - Added fixed software details for the RV220W.

Apache HTTPd Range Header Denial of Service Vulnerability - Updated
- http://tools.cisco.c...20110830-apache
Rev.1.9 - 2014 Nov 20 - Fixed information for Video Communication Server: fixed release is X7.0.2 instead of X7.0.1.

SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability - Updated
- http://tools.cisco.c...20141015-poodle
Rev.1.11 - 2014 Nov 21 - Moved Cisco Network Collector, Cisco Prime Collaboration Provisioning, Cisco Unified Intelligence Center (UIC), Cisco Computer Telephony Integration Object Server (CTIOS), Cisco Emergency Responder, Cisco Paging Server, Cisco Unified Contact Center Enterprise (UCCE), Cisco Videoscape Distribution Suite for Internet Streaming to the Vulnerable Products section. Updated Products Not Vulnerable and Products Under Investigation sections.

GNU Bash Environment Variable Command Injection Vulnerability - Updated
- http://tools.cisco.c...a-20140926-bash
Rev.1.25 - 2014 Nov 24 - Updated Fixed Software table.

Multiple Vulnerabilities in OpenSSL Affecting Cisco Products - Updated
- http://tools.cisco.c...0140605-openssl
Rev.1.24 - 2014 Nov 24 - Updated the Affected Products and Products Confirmed Not Vulnerable sections.
 

Edited by AplusWebMaster, 04 December 2014 - 11:17 AM.

[AplusWebMaster]

FYI...

Multiple Vulnerabilities in -ntpd- Affecting Cisco Products
- http://tools.cisco.c...a-20141222-ntpd
Dec 22, 2014 - "Summary: Multiple Cisco products incorporate a version of the ntpd package. Versions of this package are affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code or create a denial of service (DoS) condition.
On December 19, 2014, NTP.org and US-CERT released security advisories detailing two issues regarding weak cryptographic pseudorandom number generation (PRNG), three buffer overflow vulnerabilities, and an unhandled error condition with an unknown impact. The vulnerabilities are referenced in this document as follows:
    CVE-2014-9293: Weak Default Key in config_auth()
    CVE-2014-9294: Noncryptographic Random Number Generator with Weak Seed Used by ntp-keygen to Generate Symmetric Keys
    CVE-2014-9295: Multiple Buffer Overflow Vulnerabilities in ntpd
    CVE-2014-9296: ntpd receive(): Missing Return on Error
This advisory will be updated as additional information becomes available. Cisco will release free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available..."
Rev1.9 - 2015Jan9 - Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections.

- https://www.us-cert....Protocol-Daemon
Dec 19, 2014

- http://www.kb.cert.org/vuls/id/852879
Last revised: 22 Dec 2014

- http://www.ntp.org/downloads.html
2014/12/19

- https://web.nvd.nist...d=CVE-2014-9293 - 5.0
- https://web.nvd.nist...d=CVE-2014-9294 - 5.0
- https://web.nvd.nist...d=CVE-2014-9295 - 7.5 (HIGH)

Last revised: 12/22/2014 - "... NTP -before- 4.2.8 allow remote attackers to execute arbitrary code..."
- https://web.nvd.nist...d=CVE-2014-9296 - 5.0

- http://support.ntp.o.../SecurityNotice
2014-12-21
- https://isc.sans.edu...l?storyid=19095
Last Updated: 2014-12-21
 

Edited by AplusWebMaster, 09 January 2015 - 01:47 PM.

[AplusWebMaster]

FYI...

- http://tools.cisco.c...cationListing.x

Cisco WebEx Meetings Server Command Injection Vuln
- http://tools.cisco.c...sa-20150204-wbx
2015 Feb 4 - "Summary: A vulnerability in the administrative web interface of Cisco WebEx Meetings Server could allow an authenticated, remote attacker to execute arbitrary commands on the affected system and on the devices managed by the affected system. The vulnerability is due to improper user input validation. An attacker could exploit this vulnerability by crafting input into the affected fields of the web interface. Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available..."
- http://www.securityt....com/id/1031692
CVE Reference: https://web.nvd.nist...d=CVE-2015-0589 - 9.0 (HIGH)
Feb 4 2015

GNU glibc gethostbyname Function Buffer Overflow Vuln
- http://tools.cisco.c...-20150128-ghost
2015 Feb 4 Rev1.5 - "Summary: On January 27, 2015, a buffer overflow vulnerability in the GNU C library (glibc) was publicly announced. This vulnerability is related to the various gethostbyname functions included in glibc and affect applications that call these functions. This vulnerability may allow an attacker to obtain sensitive information from an exploited system or, in some instances, perform remote code execution with the privileges of the application being exploited. The glibc library is a commonly used third-party software component that is released by the GNU software project and a number of Cisco products are likely affected. This advisory will be updated as additional information becomes available. Cisco will release free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available...
Rev1.5 - 2015-Feb-04: Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections."
 

Edited by AplusWebMaster, 12 February 2015 - 12:26 PM.

[AplusWebMaster]

FYI...

- http://tools.cisco.c...cationListing.x

Cisco Secure Access Control System SQL Injection Vulnerability
- http://tools.cisco.c...-20150211-csacs
2015 Feb 11 - "Summary: Cisco Secure Access Control System (ACS) prior to version 5.5 patch 7 is vulnerable to a SQL injection attack in the ACS View reporting interface pages. A successful attack could allow an authenticated, remote attacker to access and modify information such as RADIUS accounting records stored in one of the ACS View databases or to access information in the underlying file system. Cisco has released free software updates that address this vulnerability..."
- http://www.securityt....com/id/1031740
CVE Reference: https://web.nvd.nist...d=CVE-2015-0580 - 6.5
Feb 11 2015

Multiple Vulnerabilities in Cisco ASA Software
- http://tools.cisco.c...sa-20141008-asa
2015 Feb 11 - Rev 2.0 - Added important information about Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability - CSCup36829 - in the "Vulnerable Products," "Software Versions and Fixes," and "Exploitation and Public Announcements" sections of this advisory.

Multiple Vulnerabilities in ntpd Affecting Cisco Products
- http://tools.cisco.c...a-20141222-ntpd
2015 Feb 11 - Rev 2.0 - Added the two new CVE IDs from ntp.org. Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections. Note: Cisco WebEx Meeting Server versions 2.x moved from Vulnerable to Not Vulnerable. Cisco Business Edition 3000 (BE3k) removed from advisory as end of life.

GNU glibc gethostbyname Function Buffer Overflow Vulnerability
- http://tools.cisco.c...-20150128-ghost
2015 Feb 11 - Rev 1.10 - Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections.
 

[AplusWebMaster]

FYI...

- http://tools.cisco.c...cationListing.x

Cisco IOS XR Software IPv6 Malformed Packet DoS Vuln
- http://tools.cisco.c...a-20150220-ipv6
2015 Feb 20 - "Summary: A vulnerability in the parsing of malformed IP version 6 (IPv6) packets in Cisco IOS XR Software for Cisco Network Convergence System 6000 (NCS 6000) and Cisco Carrier Routing System (CRS-X) could allow an unauthenticated, remote attacker to cause a reload of a line card that is processing traffic. The vulnerability is due to improper processing of malformed IPv6 packets carrying extension headers. An attacker could exploit this vulnerability by sending a malformed IPv6 packet, carrying extension headers, through an affected Cisco IOS XR device line card. An exploit could allow the attacker to cause a reload of the line card on the affected Cisco IOS XR device. Cisco has released free software updates that address this vulnerability. There are no workarounds that address this vulnerability..."

Rev 1.1 - 2015-Feb-24 - Software Versions and Fixes updated
- http://www.securityt....com/id/1031778
CVE Reference: https://cve.mitre.or...e=CVE-2015-0618
Feb 20 2015
Solution: The vendor has issued a fix:
hfr-px-5.1.3.CSCuq95241.pie for version 5.1.3 for CRS-X
hfr-px-5.1.4.CSCuq95241.pie for version 5.1.4 for CRS-X

GNU glibc gethostbyname Function Buffer Overflow Vuln
- http://tools.cisco.c...-20150128-ghost
Rev 1.17 - 2015-Feb-20 - Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections.

Multiple Vulnerabilities in OpenSSL Affecting Cisco Products
- http://tools.cisco.c...0140605-openssl
Rev 1.26 - 2015-Feb-25 - Updated the Affected Produccts and Confirmed Vulnerable Sections.
2014 June 5 - "Summary: Multiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code, create a denial of service (DoS) condition, or perform a man-in-the-middle attack. On June 5, 2014, the OpenSSL Project released a security advisory detailing seven distinct vulnerabilities. The vulnerabilities are referenced in this document as follows:
    SSL/TLS Man-in-the-Middle Vulnerability
    DTLS Recursion Flaw Vulnerability
    DTLS Invalid Fragment Vulnerability
    SSL_MODE_RELEASE_BUFFERS NULL Pointer Dereference Vulnerability
    SSL_MODE_RELEASE_BUFFERS Session Injection or Denial of Service Vulnerability
    Anonymous ECDH Denial of Service Vulnerability
    ECDSA NONCE Side-Channel Recovery Attack Vulnerability
Please note that the devices that are affected by this vulnerability are the devices acting as a Secure Sockets Layer (SSL) or Datagram Transport Layer Security (DTLS) server terminating SSL or DTLS connections or devices acting as an SSL client initiating an SSL or DTLS connection. Devices that are simply traversed by SSL or DTLS traffic without terminating it are not affected. This advisory will be updated as additional information becomes available. Cisco will release free software updates that address these vulnerabilities..."
- http://www.cisco.com...L_06052014.html
 

Edited by AplusWebMaster, 04 March 2015 - 11:41 AM.

[AplusWebMaster]

FYI...

- http://tools.cisco.c...cationListing.x

Multiple Vulnerabilities in ntpd Affecting Cisco Products
- http://tools.cisco.c...a-20141222-ntpd
Rev 2.7 - 2015-March-04 - Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections.

GNU glibc gethostbyname Function Buffer Overflow Vulnerability
- http://tools.cisco.c...-20150128-ghost
Rev 1.20 - 2015-March-03 - Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections.

GNU Bash Environment Variable Command Injection Vulnerability
- http://tools.cisco.c...a-20140926-bash
Rev 1.28 - 2015-March-02 - Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections.

SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability
- http://tools.cisco.c...20141015-poodle
Rev 1.15 - 2015-February-27 - Added Cisco Prime Performance Manager, Cisco Application Virtual Switch (AVS), Cisco Unified 7800 series IP Phones to the Vulnerable Products section. Changed category of Cisco UCS Invicta Series Autosupport Portal. Added CiscoWorks Network Compliance Manager to the Not Vulnerable products section.
 

[AplusWebMaster]

FYI...

- http://tools.cisco.c...cationListing.x

Cisco TelePresence Video Communication Server, Expressway, TelePresence Conductor - multiple vulns
- http://tools.cisco.c...sa-20150311-vcs
2015 Mar 11 Rev 1.0 - "Summary: Cisco TelePresence Video Communication Server (VCS), Cisco Expressway and Cisco TelePresence Conductor contain the following vulnerabilities:
    SDP Media Description Denial of Service Vulnerability
    Authentication Bypass Vulnerability
Successful exploitation of the SDP Media Description Denial of Service Vulnerability may cause the affected system to reload. Successful exploitation of the Authentication Bypass Vulnerability may allow an attacker to bypass authentication and log in to the system with the privileges of an administrator. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are not available..."  
- http://www.securityt....com/id/1031910
CVE Reference: CVE-2015-0652, CVE-2015-0653
Mar 11 2015

Cisco Intrusion Prevention System MainApp Secure Socket Layer DoS Vuln
- http://tools.cisco.c...sa-20150311-ips
2015 Mar 11 Rev 1.0 - "Summary: The Cisco Intrusion Prevention System (IPS) Software has a vulnerability within the SSL/TLS subsystem utilized by the web management interface which could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. Cisco has released free software updates that address this vulnerability..."
- http://www.securityt....com/id/1031908
CVE Reference: CVE-2015-0654
Mar 11 2015

Multiple Vulnerabilities in OpenSSL (January 2015) Affecting Cisco Products
- http://tools.cisco.c...sa-20150310-ssl
Rev 1.1 - 2015-March-11 - Moved Cisco Content Security Management Appliance (SMA) from Not Vulnerable, to under Investigation. Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections.

Multiple Vulnerabilities in ntpd Affecting Cisco Products
- http://tools.cisco.c...a-20141222-ntpd
Rev 2.8 - 2015-March-11 - Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections.

Row Hammer Privilege Escalation Vulnerability
- http://tools.cisco.c...50309-rowhammer
Rev 1.2 - 2015-March-11 - Updated Product Status.

Cisco Secure Access Control System SQL Injection Vulnerability
- http://tools.cisco.c...-20150211-csacs
Rev 2.0 - 2015-March-10 - Updated vulnerable release number

GNU glibc gethostbyname Function Buffer Overflow Vuln
- http://tools.cisco.c...-20150128-ghost
Rev 1.22 - 2015-March-10 - Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections.
 

Edited by AplusWebMaster, 12 March 2015 - 12:50 PM.

[AplusWebMaster]

FYI...

OpenSSL (January 2015) Affecting Cisco Products - Multiple Vulns
- http://tools.cisco.c...sa-20150310-ssl
Rev 1.3 - 2015-March-16 - Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections.

GNU glibc gethostbyname Function Buffer Overflow Vuln
- http://tools.cisco.c...-20150128-ghost
Rev 1.23 - 2015-March-13 - Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections.

SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vuln
- http://tools.cisco.c...20141015-poodle
Rev 1.16 - 2015-March-12 - Table version for the Vulnerable products section. More products added.
___

GNU glibc gethostbyname Function Buffer Overflow Vuln
- http://tools.cisco.c...-20150128-ghost
Rev 1.24 - 2015-March-17 - Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections.

Row Hammer Privilege Escalation Vuln
- http://tools.cisco.c...50309-rowhammer
Rev 1.3 - 2015-March-17 - Added product evaluation status update to the Affected Products section.
 

Edited by AplusWebMaster, 19 March 2015 - 06:32 AM.

[AplusWebMaster]

FYI...

- http://tools.cisco.c...cationListing.x

OpenSSL (March 2015) Affecting Cisco Products - Multiple Vulnerabilities
- http://tools.cisco.c...0150320-openssl
2015 March 20 - Summary: Multiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or corrupt portions of OpenSSL process memory. On March 19, 2015, the OpenSSL Project released a security advisory detailing 13 distinct vulnerabilities... This advisory will be updated as additional information becomes available. Cisco will release free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities may be available...
Rev 1.0 - 2015-March-20 - Initial public release.

GNU glibc gethostbyname Function Buffer Overflow Vuln
- http://tools.cisco.c...-20150128-ghost
Rev 1.25 - 2015-March-20 - Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections.

Cisco Secure Access Control System SQL Injection Vuln
- http://tools.cisco.c...-20150211-csacs
Rev 2.1 - 2015-March-19 - Updated version number in Products Confirmed Not Vulnerable.
 

[AplusWebMaster]

FYI...

March 2015 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication
- http://www.cisco.com..._ERP_mar15.html
___

Multiple Vulnerabilities in Cisco IOS and IOS XE Software Autonomic Networking Infrastructure
- http://tools.cisco.c...sa-20150325-ani
2015 March 25
- http://www.securityt....com/id/1031982
CVE Reference: CVE-2015-0635, CVE-2015-0636, CVE-2015-0637
Mar 25 2015

Cisco IOS Software Virtual Routing and Forwarding ICMP Queue Wedge Vuln
- http://tools.cisco.c...-20150325-wedge
Mar 25 2015
- http://www.securityt....com/id/1031983
CVE Reference: CVE-2015-0638
Mar 25 2015

Cisco IOS Software and IOS XE Software Internet Key Exchange Version 2 DoS Vuln
- http://tools.cisco.c...-20150325-ikev2
2015 March 25
- http://www.securityt....com/id/1031978
CVE Reference: CVE-2015-0642, CVE-2015-0643
Mar 25 2015

Multiple Vulnerabilities in Cisco IOS Software Common Industrial Protocol
- http://tools.cisco.c...sa-20150325-cip
Mar 25 2015
- http://www.securityt....com/id/1031984
CVE Reference: CVE-2015-0647, CVE-2015-0648, CVE-2015-0649
Mar 25 2015

Cisco IOS and IOS XE Software mDNS Gateway Denial of Service Vuln
- http://tools.cisco.c...a-20150325-mdns
Mar 25 2015
- http://www.securityt....com/id/1031979
CVE Reference: CVE-2015-0650
Mar 25 2015

Cisco IOS Software and IOS XE Software TCP Packet Memory Leak Vuln
- http://tools.cisco.c...0150325-tcpleak
Mar 25 2015
- http://www.securityt....com/id/1031980
CVE Reference: CVE-2015-0646
Mar 25 2015

Cisco IOS XE Software for Cisco ASR 1000 Series, Cisco ISR 4400 Series, and Cisco Cloud Services 1000v Series Routers - Multiple Vulns
- http://tools.cisco.c...-20150325-iosxe
Mar 25 2015
- http://www.securityt....com/id/1031981
CVE Reference: CVE-2015-0639, CVE-2015-0640, CVE-2015-0641, CVE-2015-0644, CVE-2015-0645
Mar 25 2015
___

- https://www.us-cert....dvisory-Bundled
March 26, 2015 - "Cisco has released its semiannual Cisco IOS Software Security Advisory Bundled Publication. This publication includes seven Security Advisories that address vulnerabilities in Cisco IOS Software. Exploits of these vulnerabilities could result in a denial of service (DoS) condition, interface queue wedge, or exchange memory leak..."
 

Edited by AplusWebMaster, 03 April 2015 - 08:58 AM.

[AplusWebMaster]

FYI...

- http://tools.cisco.c...cationListing.x

Cisco Unity Connection - Multiple Vulns
- http://tools.cisco.c...sa-20150401-cuc
2015 April 1 - "Summary: Cisco Unity Connection contains multiple vulnerabilities, when it is configured with  Session Initiation Protocol (SIP) trunk integration. The vulnerabilities described in this advisory are denial of service vulnerabilities impacting the availability of Cisco Unity Connection for processing SIP messages. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are not available..."
- http://www.securityt....com/id/1032010
CVE Reference: CVE-2015-0612, CVE-2015-0613, CVE-2015-0614, CVE-2015-0615, CVE-2015-0616
Apr 1 2015
Impact: Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to versions 8.5(1)SU7, 8.6(2a)SU4, 9.1(2)SU2, 10.0(1)SU1 ...

Cisco Prime Data Center Network Manager File Information Disclosure Vuln
- http://tools.cisco.c...a-20150401-dcnm
2015 April 1 - "Summary: Cisco Prime Data Center Network Manager (DCNM) contains a file information disclosure vulnerability that could allow an unauthenticated, remote attacker to retrieve arbitrary files from the underlying operating system. Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available..."
- http://www.securityt....com/id/1032009
CVE Reference: CVE-2015-0666
Apr 1 2015
Impact: Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 6.3(1) and after and prior to 7.1(1) ...

Cisco IOS XE Software for Cisco ASR 1000 Series, Cisco ISR 4400 Series, and Cisco Cloud Services 1000v Series Routers - Multiple Vulns
- http://tools.cisco.c...-20150325-iosxe
Rev 1.1 - 2015-April-01 - Edited Software Versions and Fixes section.
"Summary: Cisco IOS XE Software for Cisco ASR 1000 Series Aggregation Services Routers (ASR), Cisco 4400 Series Integrated Services Routers (ISR), and Cisco Cloud Services Routers (CSR) 1000v Series contains the following vulnerabilities:
    Cisco IOS XE Software Fragmented Packet Denial of Service Vulnerability
    Cisco IOS XE Software Crafted TCP Packet Remote Code Execution Vulnerability
    Cisco IOS XE Software Crafted IPv6 Packet Denial of Service Vulnerability
    Cisco IOS XE Software Layer 4 Redirect Crafted Packet Denial of Service Vulnerability
    Cisco IOS XE Software Common Flow Table Crafted Packet Denial of Service Vulnerability
These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the others...Cisco has released free software updates that address these vulnerabilities..."

- http://blogs.cisco.c...led-publication
March 25, 2015

OpenSSL (January 2015) Affecting Cisco Products - Multiple Vulns
- http://tools.cisco.c...sa-20150310-ssl
Rev 1.6 - 2015-April-02 - Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections.

GNU Bash Environment Variable Command Injection Vuln
- http://tools.cisco.c...a-20140926-bash
Rev 1.29 - 2015-April-01 - Updated Fixed Software table and Products Confirmed Not Vulnerable sections.

OpenSSL (March 2015) Affecting Cisco Products - Multiple Vulns
- http://tools.cisco.c...0150320-openssl
Rev 1.3 - 2015-April-01 - Updated Affected Products section - Vulnerable/Not Vulnerable Products.
 

Edited by AplusWebMaster, 06 April 2015 - 09:51 PM.