No fix for password validation vulnerability in Cisco routers at end-of-life
Cisco won’t to push out a software update to handle a security vulnerability in the web-based management interface of its still-available small-business routers the models RV110W, RV130, RV130Wand RV215W.
The vulnerability is because of insufficient user input validation of incoming HTTP packets. An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface.
The routers you could end up a denial-of-service condition. Based on the advisory, an attacker could send a crafted request to the web-based management interface and execute arbitrary commands on an affected device using root-level privileges.
Cisco have not, and will not, plan to release software updates, based on the announcement, and you can find no workarounds.
“The Cisco SMALL COMPANY RV110W, RV130, RV130Wand RV215W Routers have entered the end-of-life process,” said Cisco officials in the announcement. The business advises customers to migrate to the Cisco SMALL COMPANY RV132W, RV160 or RV160W routers.
Multiple patches for multiple Cisco products can be found
Cisco in addition has released updates to handle cybersecurity vulnerabilities in multiple products.
In accordance with its advisory, the Cybersecurity and Infrastructure Security Agency (CISA) encourages administrators to use the required updates for just two of the higher-severity vulnerabilities.
The Cisco SD-WAN vManage software unauthenticated usage of messaging services vulnerability exists as the messaging server container ports on an affected system lack sufficient protection mechanisms, says Cisco.
The vulnerability inanNvidia data plane development kit affects Cisco products as the messaging server container ports on an affected system lack sufficient protection mechanisms.
Additional updates for lower-severity vulnerabilities may also be available.
Software updates for infusion pumps and batteries are forthcoming
In April, Rapid7discovered multiple vulnerabilities in two TCP/IP-enabled medical devices made by Baxter Healthcare the SIGMA Spectrum Infusion Pump (Firmware Version 8.00.01) and SIGMA Wi-Fi Battery (Firmware Versions 16, 17, 20 D29)
Software updates to disable Telnet and FTP (CVE-2022-26392) come in process while some are actually available, in accordance with Baxter.
Updates to handle the format string attack (CVE-2022-26393) are addressed in WBM version 20D30 and all the WBM versions, and authentication has already been obtainable in Spectrum IQ (CVE-2022-26394).
Instructions to erase all data and settings from WBMs and pumps before decommissioning and transferring to other facilities (CVE-2022-26390) can be found on Baxter’s website.
Andrea Fox is senior editor of Healthcare IT News.
Healthcare IT News is really a HIMSS publication.