Cisco issues security warnings on Halloween

Attackers could exploit security holes in data center manager, web conferencing products

On Halloween, Cisco (Nasdaq: CSCO) issued warnings about security threats to its data center management and web conferencing products that could enable an attacker to gain control of corporate systems.

The security hole in its Cisco Prime Data Center Network Manager (DCNM) could allow an attacker to gain remote control over the system running the application.

The DCNM combines the management of Ethernet and storage networks into a single dashboard to help network and storage administrators manage and troubleshoot the health and performance of products that run Cisco NX-OS software, the company explained.

The DCNM application automates provisioning of data center local area and storage area networks; monitors the networks and detects performance degradation; secures the data center network; eases diagnosis and troubleshooting of data center outages; and streamlines management of virtualized data centers.

Versions prior to 6.1.1 are vulnerable to remote exploits on the underlying system that hosts the application, Cisco said.

The company is also plugging two security holes in its Cisco Unified MeetingPlace Web Conferencing product--a SQL injection vulnerability and a buffer overrun vulnerability.

An attacker could exploit the SQL injection hole to send commands that create, delete or alter some of the information in the Cisco Unified MeetingPlace Web Conferencing database. The buffer overrun hole could also enable an attacker to shut down the web conferencing server altogether.

Cisco stressed it is not aware of anyone exploiting the vulnerabilities and is providing customers with free software updates to plug the holes.

For more:
- see Cisco's DCNM and web conferencing security advisories

Related articles:
Cisco CEO: 'Internet of Everything' will be next IT platform
Infonetics: Cisco steals lead from Acme Packet in SBC market