CERT and Cisco Warn of IOS Flaws

By Sean Michael Kerner | Jan 26, 2007 | Print this Page
http://www.enterprisenetworkingplanet.com/netsecur/article.php/3656321/CERT-and-Cisco-Warn-of-IOS-Flaws.htm

US-CERT has issued an advisory this week that warns of vulnerabilities in Cisco's Internetwork Operating System (IOS). Cisco issued three of its own.

Security firm Secunia has labeled the vulnerabilities highly critical. IOS is Cisco's embedded operating system that runs on Cisco routers and switches that are widely deployed on a global basis. If exploited, the vulnerabilities in IOS could potentially lead to a denial of service (DoS) attack or arbitrary code execution.

One of the flaws may have allowed an attacker to exploit IOS by way of a specially crafted IP packet. Cisco notes in its advisory that it discovered the flaw during internal testing.

A memory leak condition in how IOS handles TCP packets could also potentially have been exploited leading to a degradation of service or a full-fledged DoS attack. According to Cisco, this vulnerability only applies to traffic destined to the Cisco IOS device. Traffic-transiting the Cisco IOS device will not trigger this vulnerability.

"Because devices running IOS may transmit traffic for a number of other networks, the secondary impacts of a denial of service may be severe," said US-Cert in its alert.

The third flaw reported by Cisco involves a mal-crafted IPv6 packet that could potentially crash IOS. Cisco notes in its advisory that it was initially reported by a customer and a further trigger vector was discovered during developing the fix for this vulnerability.

Cisco is providing fixes to its customers for all of the reported issues.

Article courtesy of internetnews.com