back to article Cisco patches yet another Data Centre Network Manager vuln

Cisco has coughed to its Data Centre Network Manager (DCNM) software having a rather unpleasant vulnerability – but there's a patch for it. The vuln allows a logged-in attacker to gain access to sensitive files on a targeted system. Cisco described the flaw as being down to "improper validation of user requests within the …

  1. Korev Silver badge
    Facepalm

    Directory Traversal

    a malicious person could send requests containing directory traversal "character sequences", fooling the target server into returning the contents of file directories – or even allowing the attacker to create their own files.

    Potentially dumb question: Why don't their automated testing tools scan for this kind of vulnerability? Directory traversal exploits aren't exactly new.

    1. Anonymous Coward
      Anonymous Coward

      Re: Directory Traversal

      Based on my experience of Cisco products, its probably not a dumb question.

      To create Cisco, a very specific development process is followed:

      - startup creates software (quality varies, but lets say it's X)

      - Cisco buys product and gives it a light rebrand and functionality remains similar to original. There may even be patches

      - Cisco begins to integrate product X into its standard offering for that product portfolio. Imagine the screams of the damned as a product of quality X is merged with an existing internal product of quality Y where the quality of Y >> 0. The number of key features removed from both products should relate to the order of magnitude of the version change.

      - while customers still but the product, keep mangling the software.

      Now, given this process of mutilation, the idea of running security tools over the code will likely result in a "can we just disable that feature?" response rather than a "we should fix that" response.

      Or worse, maybe Cisco sees these security vulnerabilities as a chance to upsell the solution to include firewalls to protect their flimsy solutions...

      /cynicism

  2. Anonymous Coward
    Anonymous Coward

    It's 2018 and...

    ...why am I not surprised.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020