Cisco Warns Customers on Vulnerabilities in Content Service Gateway
Recently, security researchers at Cisco disclosed security flaws in its second generation content service gateway (CSG2). Content service gateways are used by organizations to offer access to content on their sites at a price.
One of the vulnerabilities has been identified as a service policy bypass vulnerability, which allows an attacker to circumvent billing polices and gain unauthorized access to restricted content. The vulnerability allows customers of an organization to gain access to sites with similar billing policy without being charged. The security flaw also allows customers to gain access to sites, which are generally configured to restrict access.
The affected CISCO IOS Software include 12.4 (11)MD, 12.4(15)MD, 12.4(22)MD and versions released prior to 12.4(24)MD 3, 12.4(22)MDA 5 and 12.4(24)MDA 3 on CSG2.Content service gateways allow organizations to earn for the content offered on their websites. and restrict improper use of content by third parties. The gateways prevent other service providers from taking undue benefit of content available on an organizations website.
Security researchers at Cisco have also identified two vulnerabilities in Cisco IOS Software 12.4(24)MD1 for CSG2.The identified vulnerabilities may cause denial-of-service condition on CSG 2. Attackers may use well-crafted Transmission Control Protocol (TCP) packets to gain unauthorized access and cause denial of service stopping the traffic flow to CSG2. The vulnerability requires only one active service content to be active to be exploited by the attackers. The vulnerabilities affect IOS Software 12.4(24)MD1 for the second generation content service gateway. The vulnerability may cause the gateway to reload or stuck denying services.
Usually, ethical hackers help developers in identifying vulnerabilities prior to individuals with malicious intent to prevent their exploitation. Cisco is yet to issue any patch for the vulnerabilities.
Developers are faced with the constant challenge of developing secured products. Attackers on the other hand constantly endeavor to breach security mechanisms. Online training programs enable self paced learning and skill enhancement facility to product developers without disrupting their work obligations.
Information security training may help employees of an organization to understand the relevant security threats, gain insights on the likely implications, understand the first response procedures and ensure timely reporting of vulnerabilities.
EC-Council provides industry training and certification for information security professionals in ethical hacking among many other specializations. "Understanding how hackers exploit these vulnerabilities is a key requirement to hardening software and hardware. That is why EC-Council focuses on ethical hacking as an approach to information security evaluation" as stated by EC-Council's Senior Director, Steven Graham. EC-Council through its Certified Ethical Hacker program has trained such information security professionals from all over the world.
The International Council of E-Commerce Consultants (EC-Council) is a member-based organization that certifies individuals in cybersecurity and e-commerce skills. It is the owner and developer of 16 security certifications, including Certified Ethical Hacker (CEH), Computer Hacking Forensics Investigator (CHFI) and EC-Council Certified Security Analyst (ECSA)/License Penetration Tester (LPT). Its certificate programs are offered in over 60 countries around the world. These certifications are recognized worldwide and have received endorsements from various government agencies including the U.S. federal government via the Montgomery GI Bill, Department of Defense via DoD 8570.01-M, National Security Agency (NSA) and the Committee on National Security Systems (CNSS). EC-Council also operates EC-Council University and the global series of Hacker Halted security conferences. The global organization is headquartered in Albuquerque, New Mexico.
6330 Riverside Plaza Ln NW
Albuquerque, NM 87120
Tag Words: service policy bypass, bypass vulnerability, csg2, content service gateway, cisco, security, service, ios software, security threats