Saturday13 August 2022

Cisco updates IronPort to fix a bug in a protocol that should not be used anyway...

Reading time is around minutes.

If you are in the information security field then the latest “news” that Cisco fixed a flaw in a protocol that should not be used will probably give you a chuckle. I am talking about Telnet which is not exactly what you would call a secure means of communicating with any device. In most cases Telnet is one of those options that you turn off right out of the box. Still it is nice to know that Cisco is patching it.

The flaw exists in all Cisco Web Security, Email Security, and Content Security Management Appliances (in other words most IronPort based products) if Telnet is enabled. In the Web Security appliance this protocol is turned off after the setup wizard is completed so the exposure there is limited.

For other appliances the concern is real, although any competent security professional is going to shut down access through telnet, just because it is an insecure protocol anyway. For those of you interested, the original flaw found back in 2011 was related to the way that Telnet handled encryption keys. Due to a lack of boundary checks someone could gain access without proper authentication. However even going back to 1999 Telnet was being phased out because it was not able to properly be secured even if you were using encryption. It has been succeeded by SSH (Secure Shell).

It is sort of comical that Cisco, who talks up their security practices and products would continue working with such a vulnerable protocol and that it is still an option to communicate with these devices. Then again, we are seeing this as a common trend in the industry considering the recent SSL v3.0 bug and a few others that are here simply because people do not want to move away from the older methods to the new… it is as funny as it is sad.

Tell us what you think

Last modified on Tuesday, 28 October 2014 16:01

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.