back to article Cisco coughs up baker's dozen of vulns and other security nasties

Cisco's six-monthly security update contains a baker's dozen of vulns and flaws in its IOS and IOS XE suites – including a backdoor that "could allow an unauthenticated, local attacker to bypass Cisco Secure Boot validation checks and load a compromised software image on an affected device". The Cisco IOS ROM Monitor (ROMMON) …

  1. Version 1.0 Silver badge

    Vunerabilities are profitable

    There's a nice financial upside to vulnerabilities that "can't be patched" - actually they can be patched most of the time but the manufacturer simply doesn't want to patch them.

    And why not? Because now they can them sell the customer some new kit.

    1. Brian Miller

      Re: Vunerabilities are profitable

      I think that "can't be patched" is a euphemism for "our code is so rotten and our management and devs are so horrid that we really can't do it."

      I worked at a company that produced a network gateway product. The code was written over a ten-year period, and all of the devs were laid off when operations were consolidated and the devs didn't want to relocate. The compiler vendor had gone out of business. Really. And of course the code couldn't be ported to either Borland or Microsoft in a reasonable amount of time, i.e., if you bothered with a port you might as well rewrite all of it. So I fixed bugs in this mess, memory overwrites and bad logic. If I can do it being given a code base in a 20Mb .zip file, the people at Cisco can do it, if they're competent.

  2. LeahroyNake Bronze badge

    How much ?

    I had to ask how much so therefore I can't afford it, or the support contract required to get access to the updates that are fixing issues that should not be there in the first place.

    1. sanmigueelbeer Silver badge

      Re: How much ?

      I had to ask how much so therefore I can't afford it, or the support contract required to get access to the updates that are fixing issues that should not be there in the first place.

      Read the section entitled Customers Without Service Contracts.

  3. Jack of Shadows Silver badge

    Yet another backdoor

    Once is happenstance. Twice is coincidence. Thrice is enemy action. We're way beyond thrice. What do we call it now?

    Got it: Conspiracy.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019