this post was submitted on 21 Oct 2023
162 points (98.2% liked)

Technology

58451 readers
5673 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
L3s@lemmy.world
enu@lemm.ee
L4s@lemmy.world
fry@fry.gs
L3s@fry.gs
enu@lemmy.world
L4s@fry.gs
162
Cisco Finds New Zero Day Bug, Pledges Patches in Days (www.darkreading.com)
submitted 11 months ago by tym@lemmy.world to c/technology@lemmy.world
8 comments fedilink hide all child comments
top 8 comments
sorted by: hot top controversial new old
[–] nbailey@lemmy.ca 44 points 11 months ago (3 children)

Or, hear me out, maybe we don’t expose network management interfaces to untrusted networks? Sure, shit can still get breached by very deep intrusions, but at least you don’t show up on shodan!?

[–] tym@lemmy.world 21 points 11 months ago (1 children)

This is the way. It baffles me how often I have to have 'the talk' with IT people. Don't be lazy, create a secure tunnel into the LAN!

[–] Oisteink@feddit.nl 4 points 11 months ago

I’ve discovered interfaces left behind on lan vlans - and they’re all set up with separate mgmt network, so why make one on LAN for some quick test and leave it behind. With web, cli and api open….

[–] kinther@lemmy.world 8 points 11 months ago* (last edited 11 months ago) (1 children)

At least have a source IP access list only allowing trusted IP ranges. Ideally it would only be reached from an internal IP range or bastion host, but not all companies have a security hat to wear.

[–] p03locke@lemmy.dbzer0.com 7 points 11 months ago (1 children)

but not all companies have a security hat to wear.

This is the barest of minimalistic security. It's a router. You don't allow external admin access to the router. Period. End of story.

[–] kinther@lemmy.world 4 points 11 months ago (1 children)

I dont disagree with you if a company has a competent employee configuring them.

[–] p03locke@lemmy.dbzer0.com 1 points 11 months ago

It shouldn't even be allowed by the router software.

[–] _dev_null@lemmy.zxcvn.xyz 5 points 11 months ago

Indeed, from a tenable article:

Cisco does recommend disabling the HTTP Server feature on any Cisco IOS XE systems that are internet-facing. The advisory provides steps on how to disable the feature as well as steps on how to determine if the HTTP Server feature is enabled. Additionally, the Cisco security advisory outlines an additional command to run after disabling the HTTP Server feature, to ensure that the feature is not re-enabled after a system reload.

So yeah, maybe not widen your attack surface to the whole fucking internet in the first place.