Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Cisco Fixes Flaws in Network Analysis Modules

Cisco informed customers on Wednesday that it has released patches for several medium and high severity vulnerabilities affecting its Prime Network Analysis Module products.

Cisco informed customers on Wednesday that it has released patches for several medium and high severity vulnerabilities affecting its Prime Network Analysis Module products.

Cisco’s Network Analysis Module (NAM) products are part of the company’s cloud and system management offering. They enable administrators to optimize network resources and improve the delivery of applications and services.

The product has been found to be plagued by two vulnerabilities that have been rated “high severity.” One of them, tracked as CVE-2016-1370, allows a remote, unauthenticated attacker to cause a denial-of-service (DoS) condition by sending specially crafted IPv6 packets on the network where the NAM is monitoring traffic.

Another high severity issue, tracked as CVE-2016-1388, affects the product’s web interface. An attacker can exploit the flaw to remotely execute arbitrary commands on the underlying operating system via specially crafted HTTP requests. This vulnerability has been found to affect both physical and virtual modules (vNAM).

Cisco’s NAM and vNAM products are also plagued by two medium severity issues. One of them is a command injection vulnerability (CVE-2016-1390) that allows a local, authenticated attacker to execute arbitrary commands on the host operating system. An attacker could manage to execute commands with root privileges by submitting specially crafted input.

The second medium severity issue affects the web interface and allows a remote attacker to execute arbitrary commands or code by sending specially crafted HTTP requests to the targeted system. The vulnerability, identified as CVE-2016-1391, can only be exploited by an authenticated attacker.

Cisco addressed the flaws with the release of patches and security updates that can be downloaded from the Software Center on the company’s website.

The DoS vulnerability was identified by Cisco during internal quality assurance security testing, while the other issues were reported to the company by Daniel Jensen from Security-Assessment.com.

Related: Cisco Releases Critical Security Updates

Related: Cisco Patches Severe Flaws in Wireless LAN Controller

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cybersecurity Funding

Forward Networks, a company that provides network security and reliability solutions, has raised $50 million from several investors.

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Cisco patched a high-severity SQL injection vulnerability in Unified Communications Manager (CM) and Unified Communications Manager Session Management Edition (CM SME).

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...