Cisco has released Vulnerability-related.PatchVulnerability fixes for 34 flaws in its software , including 24 that affect Vulnerability-related.DiscoverVulnerability its FXOS software for Firepower firewalls and NX-OS software for Nexus switches . Cisco 's June updates include fixes for five critical arbitrary code execution vulnerabilities affecting Vulnerability-related.DiscoverVulnerability FXOS and NX-OS and 19 high-rated flaws affecting Vulnerability-related.DiscoverVulnerability the software . Four of the critical flaws affect Vulnerability-related.DiscoverVulnerability FXOS and NX-OS Cisco Fabric Services , while the fifth one affects Vulnerability-related.DiscoverVulnerability the NX-API feature of NX-OS . All have a CVSS v3 score of 9.8 out of a maximum of 10 . Cisco Fabric Services facilitate distribution and synchronization of configuration data between Cisco devices on the same network . Some of the flaws allow an unauthenticated , remote attack to execute arbitrary code and one allows an attacker to do so as root . Multiple switches are vulnerable Vulnerability-related.DiscoverVulnerability if they 've been configured to use Cisco Fabric Services , including its Nexus 2000 series through to Nexus 9000 series switches , as well as Cisco 's Firepower 4100 Series Next-Gen Firewalls and other hardware . The insufficient input validation may occur when FXOS and NX-OS process Cisco Fabric Services packets received during distribution and synchronization . There are various ways to exploit each of the flaws , depending on what Cisco Fabric Services distribution types have been configured . For example , if Fibre Channel ports are configured as a distribution type for a device , the attack could occur via Fibre Channel over Ethernet ( FCoE ) or Fibre Channel over IP ( FCIP ) . Cisco has already rolled out Vulnerability-related.PatchVulnerability fixes in some releases of FXOS and NX-OS . Cisco posted a blog this week explaining why it often fixes Vulnerability-related.PatchVulnerability bugs in IOS and NX-OS releases before disclosing Vulnerability-related.DiscoverVulnerability them in an advisory . It 's a practice that appears to cause confusion for customers wondering why it has n't told them fixed code has been available Vulnerability-related.PatchVulnerability for several months before it discloses Vulnerability-related.DiscoverVulnerability them . Cisco 's answer is that some flaws affect Vulnerability-related.DiscoverVulnerability more than 50 versions of its software . `` There have been some questions as to why creating Vulnerability-related.PatchVulnerability fixes and releasing Vulnerability-related.PatchVulnerability updates can take several weeks , or sometimes even months , before an advisory is published , '' Cisco 's Customer Assurance Security Programs team wrote . `` In some cases , there is a large number of supported software versions to be updated . The number of affected versions that will be updated Vulnerability-related.PatchVulnerability can range from single digits to nearly 50 or more . We are committed to issuing Vulnerability-related.PatchVulnerability fixes for every one of those supported versions . '' `` If we disclosed Vulnerability-related.DiscoverVulnerability the vulnerability after only fixing Vulnerability-related.PatchVulnerability one release , we would unnecessarily expose all customers running Vulnerability-related.PatchVulnerability other releases to potential exploitation once details about the attack itself became public . '' There are also 10 medium-severity flaws , including one that affects Vulnerability-related.DiscoverVulnerability some WebEx endpoints due to an already disclosed flaw in Nvidia 's Tegra TX1 chips .

Over the past few weeks , hackers have targeted thousands of publicly accessible servers running database software such as MongoDB and Hadoop , and held their data for ransom Attack.Ransom . Now someone is apparently taking matters into their owns hands , helpfully alerting admins that their databases are vulnerable to attack . `` It looks like a friendly warning , '' Victor Gevers , chairman of the non-profit GDI Foundation which discloses Vulnerability-related.DiscoverVulnerability security issues to affected victims , told Motherboard in a Twitter message . Gevers has been tracking the malicious attacks since they began in December , and on Monday started following this rather strange twist . But the vigilante , whoever they may be , is creating an empty folder called `` your_db_is_not_secure '' in some open databases . So far , the message has been placed into 49 of the 2,641 open databases using the Cassandra software , Gevers told Motherboard . It 's not clear how effective this approach will actually be at informing potential victims , however , considering that database administrators might not even notice the slight change . Gevers recently wrote in a tweet that the GDI Foundation has been informing victims too via email , and another group of security experts tried sending emails en masse automatically to potential targets . If the messages do n't get through to database owners , maybe the ransom notes will

Hundreds of thousands–potentially more than one million–Netgear routers are susceptible Vulnerability-related.DiscoverVulnerability to a pair of vulnerabilities that can lead to password disclosure . Researchers said Vulnerability-related.DiscoverVulnerability that while anyone who has physical access to a router can exploit Vulnerability-related.DiscoverVulnerability the vulnerabilities locally , the real threat is that the flaw can also be exploited Vulnerability-related.DiscoverVulnerability remotely . According to Simon Kenin , a security researcher with Trustwave ’ s Spiderlabs team , who discovered Vulnerability-related.DiscoverVulnerability the flaw and disclosed Vulnerability-related.DiscoverVulnerability it Monday , the vulnerabilities can be remotely exploited Vulnerability-related.DiscoverVulnerability if the router ’ s remote management option is enabled . While Netgear claims remote management is turned off on routers by default , Kenin said there are “ hundreds of thousands , if not over a million ” devices left remotely accessible . Kenin claims that all he had to do was send a simple request to the router ’ s web management server to retrieve a router ’ s password . After determining a number that corresponds to a password recovery token , he found he could pair it with a call to the router ’ s passwordrecovered.cgi script . Kenin claims Vulnerability-related.DiscoverVulnerability he made his discovery by leveraging two exploits disclosed Vulnerability-related.DiscoverVulnerability in 2014 on some Netgear routers he had hanging around . It wasn ’ t until after Kenin pieced together a python script designed to diagnose the scope of the issue that he determined he could still retrieve the router ’ s credentials even if he didn ’ t send the correct password recovery token . “ After few trials and errors trying to reproduce the issue , I found Vulnerability-related.DiscoverVulnerability that the very first call to passwordrecovered.cgi will give out the credentials no matter what the parameter you send . This is totally new bug that I haven’t seen Vulnerability-related.DiscoverVulnerability anywhere else . When I tested both bugs on different NETGEAR models , I found Vulnerability-related.DiscoverVulnerability that my second bug works on a much wider range of models , ” Kenin wrote Monday . Kenin ’ s employer , Trustwave , divulged Vulnerability-related.DiscoverVulnerability details around both vulnerabilities in a lengthy blog post Monday , putting the wraps on a nearly year-long odyssey with the vendor . The firm first disclosed Vulnerability-related.DiscoverVulnerability the vulnerability to Netgear in April 2016 , initially it listing 18 vulnerable models , before listing 25 vulnerable models in a subsequent advisory . After repeated requests for an update on a fix for the vulnerability , Netgear finally obliged in July and provided Vulnerability-related.PatchVulnerability firmware updates for a fraction of the affected routers . It wasn ’ t until this weekend that Netgear acknowledged Vulnerability-related.DiscoverVulnerability the issues again , posting Vulnerability-related.PatchVulnerability an updated version of the article on its support page , instructing users to find and download the appropriate firmware fixes . The most recent version of the advisory claims there are 31 vulnerable models , 18 of which are patched Vulnerability-related.PatchVulnerability . The company is encouraging users of some devices in which firmware is not available to implement a workaround . According to Netgear , users of 12 different models would be best served to manually enable password recovery and disable remote management on their devices . “ The potential for password exposure remains if you do not complete both steps . NETGEAR is not responsible for any consequences that could have been avoided by following the recommendations in this notification , ” the company writes . It ’ s the first critical vulnerability to affect Vulnerability-related.DiscoverVulnerability Netgear routers this year but the second in the last two months . In December , it was discovered Vulnerability-related.DiscoverVulnerability that a handful of the company ’ s Nighthawk line of routers were vulnerable Vulnerability-related.DiscoverVulnerability to a flaw that could have given an attacker root access on the device and allowed them to run remote code . The company was quick to release Vulnerability-related.PatchVulnerability beta firmware updates to address Vulnerability-related.PatchVulnerability the vulnerability but simultaneously confirmed Vulnerability-related.DiscoverVulnerability that more routers than originally reported were vulnerable Vulnerability-related.DiscoverVulnerability . When reached Wednesday , a Netgear spokesperson said it was aware of the vulnerability and that it was appreciative of the research Trustwave carried out . Trustwave discloses Vulnerability-related.DiscoverVulnerability an unpatched vulnerability in Brother printers with the Debut embedded webserver after numerous attempts to contact the vendor failed .