Cisco Addresses Flaws in IOS



User avatar


Posts: 4270

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Fri Jan 26, 2007 12:42 pm

Cisco Addresses Flaws in IOS

Cisco is providing patches for its popular Internetwork Operating System in response to the discovery of three flaws, the most serious of which would allow hackers to insert malicious code in order to corrupt devices running IOS.

The company addressed the flaws in a series of advisories released Jan. 24.

According to Cisco officials, the company's IOS TCP listener in some versions of the IOS software is vulnerable to a memory leak that could be exploited to cause a DoS (denial-of-service) attack.

Another vulnerability exists in the way Cisco IOS processes a number of different types of IPv4 packets containing a specially crafted IP option, and a third deals with IOS' failure to properly process IPv6 packets with specially crafted routing headers. Successful exploitation of these last two flaws could lead to a denial-of-service condition or the launching of arbitrary code.

In each of the advisories, the company states that it is "not aware of any public announcements or malicious use of the vulnerability described in this advisory." Cisco officials could not immediately be reached for further comment.

Andrew Storm, director of security operations for San Francisco-based nCircle Network Security, said the flaws should be taken seriously—if for no other reason than because of how widely used IOS is.

"It took me probably a good hour yesterday to find a version for my router that wasn't vulnerable," he said. "That's a daunting task when you extrapolate that to larger enterprises."

He said the workarounds proposed by Cisco, such as turning on "IP options drop," should already be part of an enterprise's standard operating procedures. If they aren't, then most likely it is because following those steps may impair functionality in areas critical to the business, he said.

The advisories by Cisco led to a warning by the U.S. Computer Emergency Readiness Team that "repeated exploitation of these vulnerabilities may result in a sustained denial-of-service condition. … Because devices running IOS may transmit traffic for a number of other networks, the secondary impacts of a denial of service may be severe."

For original story:


User avatar

EH-Net Columnist
EH-Net Columnist

Posts: 385

Joined: Wed Nov 08, 2006 12:50 pm

Location: Atlanta

Post Fri Jan 26, 2007 1:00 pm

Re: Cisco Addresses Flaws in IOS

Yea this is got the network engineers working over time to fix. One good thing is that you can use ACL's to protect yourself from alot of this and if you are not using IPv6 you are safe from the last advisory. Basically upgrade your IOS and make sure to lock it down. If anyone out there would like me to look at some of there configs i will but only if I do not get bogged down with too many. Feel free to contact me at slimjim100(at)gmail.com.

CISSP, CCSE, CCNA, CCAI, Network+, Security+, JNCIA, & MCP

Return to Malware

Who is online

Users browsing this forum: No registered users and 0 guests

Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software