• Home
  • Who Am I ?
    • Contact
    • What does Ethereal Mind mean ?
  • Disclosure
    • Disclaimer
    • Comment Policy
    • Privacy Policy
  • Just Three
  • Archive

EtherealMind

Software Defined & Intent Based Networking

You are here: Home / Summary of Cisco NX-OS security vulnerabilities I uncovered – Maximum Entropy

Summary of Cisco NX-OS security vulnerabilities I uncovered – Maximum Entropy

13th March 2018 By Greg Ferro Filed Under: Security

Four years to fix security vulnerabilities in NX-OS code is way too long. Its amazing that customers accept that Cisco will take years to patch bugs in the latest and most actively developed version for data centre switch AFTER public disclosure. Reporting was done via internal channels from a trusted third party and I can’t see any excuses for such a poor security response.

The exploits, which I formally reported to Cisco, were never made public, until over four years later.

Its clear that Cisco doesn’t care about the security of its products with regular vulnerabilities across all of its products and then very slow reaction and patching.

Summary of Cisco NX-OS security vulnerabilities I uncovered – Maximum Entropy : http://www.feeny.org/summary-cisco-nx-os-security-vulnerabilities-uncovered/

About Greg Ferro

Human Infrastructure for Data Networks. 25 year survivor of Corporate IT in many verticals, tens of employers working on a wide range of networking solutions and products.

Host of the Packet Pushers Podcast on data networking at http://packetpushers.net- now the largest networking podcast on the Internet.

My personal blog at http://gregferro.com

Comments

  1. Bob Plankers says

    17th March 2018 at 03:01 +0100

    This is on the reporter of the problems. It’s standard to put a clock on a vulnerability, then disclose publicly when the clock expires. If you don’t there is no reason they need to fix it, and there’s possibly even pressure from governments to not fix it.

    If there was an NDA in place then that’s a problem, but it isn’t as if there aren’t a ton of security researchers out there that could be tipped off anonymously.

    • Greg Ferro says

      17th March 2018 at 15:19 +0100

      He worked for a vendor partner. That kind of useful honesty doesn’t get rewarded in the culture of Cisco or EMC. He would risk his job and any accrued benefits.

Network Break Podcast

Network Break is round table podcast on news, views and industry events. Join Ethan, Drew and myself as we talk about what happened this week in networking. In the time it takes to have a coffee.

Packet Pushers Weekly

A podcast on Data Networking where we talk nerdy about technology, recent events, conduct interviews and more. We look at technology, the industry and our daily work lives every week.

Our motto: Too Much Networking Would Never Be Enough!

Find Me on Social Media

  • Facebook
  • Instagram
  • Linkedin
  • RSS
  • Twitter
  • YouTube

Return to top of page

Copyright Greg Ferro 2008-2017 - Thanks for reading my site, it's been good to have you here.

Opinions, Views and Ideas expressed here are my own and do not represent any employer, vendor or sponsor.Full disclosure