Reading view

There are new articles available, click to refresh the page.

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to trigger a denial-of-service (DoS) condition.

Cisco this week released patches to address multiple IOS and IOS XE software vulnerabilities. An unauthenticated attacker can exploit several issues fixed by the IT giant to cause a denial-of-service (DoS) condition.

Below are the most severe issues addressed by the company:

CVE-2024-20311 (CVSS score 8.6) – A vulnerability in the Locator ID Separation Protocol (LISP) feature of Cisco IOS Software and Cisco IOS XE Software. An unauthenticated, remote attacker can trigger the flaw to cause an affected device to reload.

CVE-2024-20314 (CVSS score 8.6) – A vulnerability in the IPv4 Software-Defined Access (SD-Access) fabric edge node feature of Cisco IOS XE Software. An unauthenticated, remote attacker can trigger the flaw to cause high CPU utilization and stop all traffic processing, resulting in a denial of service (DoS) condition on an affected device.

CVE-2024-20307 – CVE-2024-20308 (CVSS score 8.6) – Multiple vulnerabilities in the Internet Key Exchange version 1 (IKEv1) fragmentation feature of Cisco IOS Software and Cisco IOS XE Software. An attacker could allow an unauthenticated, remote attacker to cause a heap overflow or corruption on an affected system.

CVE-2024-20259 (CVSS score 8.6) – A vulnerability in the DHCP snooping feature of Cisco IOS XE Software. An unauthenticated, remote attacker can trigger the flaw to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition.

CVE-2024-20303 (CVSS score 7.4) – A vulnerability in the multicast DNS (mDNS) gateway feature of IOS XE Software for Wireless LAN Controllers (WLCs). An unauthenticated, adjacent attacker can trigger the flaw to cause a denial of service (DoS) condition.

The company also addressed other high and medium-severity vulnerabilities in Access Point Software, Catalyst Center, and Aironet Access Point Software.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Cisco)

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers’ personal information and partial payment data.

Hot Topic, Inc. is an American fast-fashion company specializing in counterculture-related clothing and accessories, as well as licensed music.

The company was the victim of credential stuffing attacks against its website and mobile application on November 18-19 and November 25, 2023. The attackers detected suspicious login activity to certain Hot Topic Rewards accounts.

Threat actors obtained valid account credentials obtained from an unknown third-party source.

Credential stuffing is a type of attack in which hackers use automation and lists of compromised usernames and passwords to defeat authentication and authorization mechanisms, with the end goal of account takeover (ATO) and/or data exfiltration.” In other words, bad actors glean lists of breached usernames and passwords and run them against desired logins until they find some that work. Then, they enter those accounts for the purpose of abusing permissions, siphoning out data, or both. 

“We recently identified suspicious login activity to certain Hot Topic Rewards accounts. Following a careful investigation, we determined that unauthorized parties launched automated attacks against our website and mobile application on November 18-19 and November 25, 2023 using valid account credentials (e.g., email addresses and passwords) obtained from an unknown third-party source. Hot Topic was not the source of the account credentials used in these attacks.” reads the notification sent to the potentially impacted customers.

The company informed customers that it could not confirm whether unauthorized third parties accessed any accounts or if the logins were legitimate customer access during the relevant periods. The company only observed that the account credentials of potentially impacted customers were used to log into their Rewards account.

“It’s important to note that we have not concluded any unauthorized access to your Hot Topic Rewards account. We’re sending you this notice as a precautionary measure.” continues the notification.

Threat actors may have accessed customers’ names, email addresses, order history, phone numbers, month and day of their births, and mailing addresses. If the potentially impacted customers had saved a payment card to their Rewards account, threat actors could have accessed the last four digits of the card number.

Hot Topic revealed that after detecting the suspicious activity, they launched an investigation with the help of outside cybersecurity experts. The company also announced the implementation of specific measures to improve the website and mobile application protection from credential stuffing attacks. The company also recommends changing the account password.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, credential stuffing)

Cisco warns of password-spraying attacks targeting Secure Firewall devices

Cisco warns customers of password-spraying attacks that have been targeting Remote Access VPN (RAVPN) services of Cisco Secure Firewall devices.

Cisco is warning customers of password-spraying attacks that have been targeting Remote Access VPN (RAVPN) services configured on Cisco Secure Firewall devices.

The company published a document containing recommendations against password spray attacks aimed at Remote Access VPN (RAVPN) services. The IT giant pointed out that the attacks are also targeting third-party VPN concentrators.

“Cisco was made aware of multiple reports related to password spraying attacks aimed at RAVPN services. It has been noted by Talos that these attacks are not limited to Cisco products but also third-party VPN concentrators.” reads the report. “Depending on your environment, the attacks can cause accounts to be locked, resulting in Denial of Service (DoS)-like conditions.”

Password spraying is a type of brute force attack. In this attack, an attacker will brute force logins based on list of usernames with default passwords on the application. For example, an attacker will use one password (say, Secure@123) against many different accounts on the application to avoid account lockouts that would normally occur when brute forcing a single account with many passwords.

The company shared Indicators of Compromise (IoC) for these attacks, including:

  • Unable to establish VPN connections with Cisco Secure Client (AnyConnect) when Firewall Posture (HostScan) is enabled;
  • Unusual Amount of Authentication Requests;

Below is the list of recommendations to defend against these attacks:

  • Enabling logging to a remote syslog server for improved correlation and auditing of network and security incidents across various network devices.
  • Securing Default Remote Access VPN Profiles when the default remote access VPN connection profiles/tunnel groups DefaultRAGroup and DefaultWEBVPNGroup are not used. The company urge to to prevent authentication attempts and remote access VPN session establishment using these default connection profiles/tunnel groups by pointing them to a sinkhole AAA server.
  • Leveraging TCP shun to block a malicious IP. This activity must be done manually. 
  • Configuring Control-plance ACL on the ASA/FTD to filter out unauthorized public IP addresses and prevent them from initiating remote VPN sessions.
  • Use Certificate-based authentication for RAVPN
  • Using certificates for authentication because provide a more robust approach compared to the use of credentials. To harden your environment, you can change the authentication method for RAVPN to be based on certificates.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, password-spraying attacks)

❌