CERT and Cisco Warn of IOS Flaws

DoS or arbitrary code executions possible.

By Sean Michael Kerner | Posted Jan 26, 2007
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

US-CERT has issued an advisory this week that warns of vulnerabilities in Cisco's Internetwork Operating System (IOS). Cisco issued three of its own.

Security firm Secunia has labeled the vulnerabilities highly critical. IOS is Cisco's embedded operating system that runs on Cisco routers and switches that are widely deployed on a global basis. If exploited, the vulnerabilities in IOS could potentially lead to a denial of service (DoS) attack or arbitrary code execution.

One of the flaws may have allowed an attacker to exploit IOS by way of a specially crafted IP packet. Cisco notes in its advisory that it discovered the flaw during internal testing.

A memory leak condition in how IOS handles TCP packets could also potentially have been exploited leading to a degradation of service or a full-fledged DoS attack. According to Cisco, this vulnerability only applies to traffic destined to the Cisco IOS device. Traffic-transiting the Cisco IOS device will not trigger this vulnerability.

"Because devices running IOS may transmit traffic for a number of other networks, the secondary impacts of a denial of service may be severe," said US-Cert in its alert.

The third flaw reported by Cisco involves a mal-crafted IPv6 packet that could potentially crash IOS. Cisco notes in its advisory that it was initially reported by a customer and a further trigger vector was discovered during developing the fix for this vulnerability.

Cisco is providing fixes to its customers for all of the reported issues.

Article courtesy of internetnews.com

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter