Cisco this week issued software to address multiple critical authentication exposures in its Data Center Network Manager (DCNM) software for its Nexus data center switches.

DCNM is a central management dashboard for data-center fabrics based on Cisco Nexus switches and handles a number of core duties such as automation, configuration control, flow policy management and real-time health details for fabric, devices, and network topology.  Cisco said that there were three exposures, which it rated as a 9.8 out of 10 on the Common Vulnerability Scoring System, in the DCNM authentication mechanisms that could let a remote attacker bypass authentication and execute arbitrary actions with administrative privileges on vulnerable devices.

Cisco said that the vulnerabilities are independent of each other so exploitation of one is not required to exploit another. In addition, a software release that is affected by one of the vulnerabilities may not be affected by the others, the company said.

The critical weaknesses include:

REST API authentication bypass vulnerability: A vulnerability in the REST API endpoint of Cisco DCNM could allow a remote attacker to bypass authentication. “The vulnerability exists because a static encryption key is shared between installations. An attacker could exploit this vulnerability by using the static key to craft a valid session token. A successful exploit could allow the attacker to perform arbitrary actions through the REST API with administrative privileges,” Cisco stated.

SOAP API authentication bypass vulnerability: A weakness in the SOAP API endpoint of Cisco DCNM could let an unauthenticated, remote attacker to bypass authentication on an affected device. Like the REST vulnerability, this problem exists because a static encryption key is shared between installations. Exploits could allow arbitrary actions through the SOAP API with administrative privileges.

Authentication-bypass vulnerability: A weakness in the web-based management interface of Cisco DCNM could also let remote attackers bypass authentication on an affected device. Again, the vulnerability is due to the presence of static credentials that and an attacker could exploit by using them to authenticate against the user interface, Cisco stated. “A successful exploit could allow the attacker to access a specific section of the web interface and obtain certain confidential information from an affected device. This information could be used to conduct further attacks against the system,” Cisco stated.

There are no workarounds that address these vulnerabilities but Cisco has released a DCNM software version that address the problems, the company stated. Cisco said it is not aware of any public announcements about or malicious use of the DCNM vulnerabilities.

Less severe vulnerabilities

There were numerous additional DCNM vulnerabilities involving the REST and SOAP APIs  with “high” to “medium” threat ratings including:
REST API SQL-injection vulnerability: A vulnerability in the REST API of Cisco DCNM could let an authenticated, remote attacker with administrative privileges execute arbitrary SQL commands on an affected device. The vulnerability is due to insufficient validation of user-supplied input to the API and an attacker could exploit this vulnerability by sending a crafted request to the API, Cisco wrote. A successful exploit could let an attacker view information that they are not authorized to view, make changes to the system that they are not authorized to make, or execute commands within the underlying operating system that may affect the availability of the system.

REST API path-traversal vulnerability: A vulnerability in the REST API of Cisco DCNM could allow an authenticated, remote attacker with administrative privileges to conduct directory-traversal attacks on an affected device. An attacker could exploit this vulnerability by sending a crafted request to the API, which could allow the attacker to read, write, or execute arbitrary files in the system with full administrative privileges. The exposure is due to insufficient validation of user-supplied input to the API, Cisco wrote.

REST API command-injection vulnerability: A weakness in the REST API of Cisco DCNM could allow an authenticated, remote attacker with administrative privileges on the DCNM application to inject arbitrary commands on the underlying OS. An attacker could exploit this vulnerability by sending a crafted request to the API and could let an attacker execute arbitrary commands on the device with full administrative privileges. The vulnerability is due to insufficient validation of user-supplied input to the API, Cisco stated.

SOAP API SQL-injection vulnerability: A weakness in the SOAP API of Cisco DCNM could allow an authenticated, remote attacker with administrative privileges to execute arbitrary SQL commands on an affected device. A successful exploit could allow the attacker to view information that they are not authorized to view, make changes to the system that they are not authorized to make, or execute commands within the underlying operating system that may affect the availability of the device. The problem is due to insufficient validation of user-supplied input to the API, Cisco wrote.

SOAP API path-traversal vulnerability: A vulnerability in the SOAP API of DCNM could allow an authenticated, remote attacker with administrative privileges to conduct directory-traversal attacks on an affected device. A successful exploit could allow the attacker to read, write, or execute arbitrary files in the system with full administrative privileges. Cisco said the vulnerability is due to insufficient validation of user-supplied input to the API.

SOAP API command injection vulnerability: A vulnerability in the SOAP API of DCNM could let an authenticated, remote attacker with administrative privileges on the DCNM application inject arbitrary commands on the underlying OS. An attacker could exploit this vulnerability by sending a crafted request to the API. A successful exploit could let an attacker execute arbitrary commands on the device with full administrative privileges. Cisco said the vulnerability is due to insufficient validation of user-supplied input to the API.

Path-traversal vulnerability: A vulnerability in the Application Framework feature of DCNM could allow an authenticated, remote attacker with administrative privileges to conduct directory traversal attacks on an affected device. An attacker could exploit this vulnerability by sending a crafted request to the application. A successful exploit could allow the attacker to read, write, or execute arbitrary files in the system with full administrative privileges. The vulnerability is due to insufficient validation of user-supplied input to the Application Framework endpoint, Cisco stated.

Cisco has released software updates that address the vulnerabilities.

Cisco said it fixed all of the vulnerabilities in Cisco DCNM Software releases 11.3.1 and later.

This story, “Cisco issues critical security warnings its Data Center Network Manager ” was originally published by Network World.

The post Cisco issues critical security warnings its Data Center Network Manager appeared first on Zeo Technologies.

Gone in a Flash

Silverlight has only ever had, at best, 65% penetration on the desktop and minimal mobile presence, meaning that developers using it were writing for a smaller audience, compared with Flash and Java. So, it is not much of a surprise to find that Silverlight’s fifth release happened with more of a nudge out the door than an explosive presentation like the early versions.

However, if Windows Phones take off, then there is still a future for Silverlight, along with Expression and Visual Studio, to create applications for that growing user base. The new version offers plenty of features for both desktop web use and mobile app development.

Feature-Rich

New features in Silverlight 5 include hardware GPU decoding of H.264 media, plus an improved graphics stack with 3D support in Windows with GPU access to draw vertex shaders and low-level 3D primitives, for gaming-class graphics within the browser. It also adds the a secure “trusted app” model to the browser.

Those features help keep it on a vague par with HTML 5, which Microsoft is happily supporting in its new browsers, but the lack the shouting “look-at-me” news and Microsoft’s silence about its plans beyond this version suggest that Silverlight has a limited future.

Resource: http://www.cmswire.com/cms/customer-experience/microsoft-releases-silverlight-5-the-final-version-013806.php

The post Microsoft Releases Silverlight 5: The Final Version? appeared first on Zeo Technologies.

The Development Milestone Release (DMR) for MySQL 5.6 comes with a number of new and still experimental features for the open source database system, including improved replication and the ability to bypass the SQL framework for faster data access.

As part of the open source LAMP stack — which also includes Linux, Apache and Perl, Python and PHP — MySQL is widely used in Web applications. Large, popular sites such as Twitter, Facebook and Flickr use MySQL.

With this pending version of MySQL 5.6, Oracle and outside developers have strengthened the way the software handles data replication, as well as potentially shortening the software’s response times to complex queries.

In regards to replication, MySQL introduces Global Transactions Identifiers (GTIDs), which assure the system can track data as it is replicated across different servers. GTIDs will ease the process of automatically switching to a duplicate server should the original fail. Third-party software now offers this capability, but this will be the first time MySQL itself can do the job.

MySQL 5.6 offers a number of new features that should speed queries. It can now consolidate multiple queries or result sets into a single unit of work. It can assign the current date and time as the default for DATETIME columns, eliminating the need for the application to do that work itself. The software can also speed query time by determining the best order of execution for Filesort and ORDER BY queries.

Another new benefit for developers: MySQL can also deliver query results in the popular JSON (JavaScript Object Notation) format, useful for integrating data to Web applications.

In addition to these new features, which will be ready for production duty with the full release of MySQL 5.6, the software also includes some experimental features that may appear in future versions of the software, courtesy of Oracle’s MySQL Labs. Developers can test them now to see how well they work.

Perhaps the most notable feature is an API (application programming interface) that allows applications to directly access data from the core InnoDB database engine, rather than going through the SQL-based interface. The API replicates the interface of the open source memcache caching technology used by Facebook and others for speedy access to large amounts of data.

Such an API may bring MySQL on par with the easy accessibility offered by NoSQL databases currently gaining favor in Web applications, said Tomas Ulin, Oracle vice president of MySQL engineering,in an interview last year.

The post Oracle previews MySQL 5.6 appeared first on Zeo Technologies.

A nasty bit of malware called Flashback has infected approximately 600,000 Macintosh computers worldwide through a Java security flaw, according to a Russian security firm — and Apple itself is hard at work on a fix, the company said Tuesday.

“Apple is developing software that will detect and remove the Flashback malware,” the company wrote in a support document on its site addressing the Flashback malware.

“Apple released a Java update on April 3, 2012 that fixes the Java security flaw for systems running OS X v10.7 and Mac OS X v10.6” — the most recent versions of the operating system, the company noted. But software will still be required to remove Flashback from systems that are already infected.

The post Flashback Virus appeared first on Zeo Technologies.