Cisco this week issued a security advisory on its IronPort encryption appliances. The appliances contain two vulnerabilities: one that allows remote, unauthenticated access to any file on the device; and another that allows remote, unauthenticated users to execute arbitrary code with elevated privileges.
There are workarounds available to mitigate these vulnerabilities, and Cisco says it has released free software updates that address these vulnerabilities.
The affected appliances are the IronPort Encryption Appliance 6.5 versions prior to 6.5.2; IronPort Encryption Appliance 6.2 versions prior to 6.2.9.1; and IronPort PostX MAP versions prior to 6.2.9.1.
Attackers can gain access to arbitrary files on vulnerable devices via the embedded HTTPS server and the WebSafe servlet. Attackers can also run arbitrary code with elevated privileges on vulnerable devices via the embedded HTTPS server.
Cisco says it is not aware of any public announcements or malicious use of the vulnerabilities. The company acquired IronPort in 2007.
More from Cisco Subnet:
This is Network World's Cisco Subnet news alert in which we focus on the top items from Cisco Subnet, your source for Cisco news, blogs, discussion items, security alerts, giveaways and more.
Cisco said to be readying major upgrade to CRS-1The scoop on the New TSHOOT Course and ExamCisco shipping 160G Ethernet card for ASR 9000
Another analyst sees Cisco UCS deployment delays
If Cisco buys you, you're 1 in 100
IPv4 Space is Getting Low - Really Low
Win one of 50 CCNP training books, videos and Cert Kits
Win great stuff from Cisco SubnetCisco Alert newsletter.Like RSS readers? Subscribe to the Cisco Subnet RSS feedLike e-mail? Subscribe to the
Follow all Cisco Subnet bloggers on Twitter.Follow Jim Duffy on Twitter