CERT and Cisco Warn of IOS Flaws

Friday Jan 26th 2007 by Sean Michael Kerner
Share:

DoS or arbitrary code executions possible.

US-CERT has issued an advisory this week that warns of vulnerabilities in Cisco's Internetwork Operating System (IOS). Cisco issued three of its own.

Security firm Secunia has labeled the vulnerabilities highly critical. IOS is Cisco's embedded operating system that runs on Cisco routers and switches that are widely deployed on a global basis. If exploited, the vulnerabilities in IOS could potentially lead to a denial of service (DoS) attack or arbitrary code execution.

One of the flaws may have allowed an attacker to exploit IOS by way of a specially crafted IP packet. Cisco notes in its advisory that it discovered the flaw during internal testing.

A memory leak condition in how IOS handles TCP packets could also potentially have been exploited leading to a degradation of service or a full-fledged DoS attack. According to Cisco, this vulnerability only applies to traffic destined to the Cisco IOS device. Traffic-transiting the Cisco IOS device will not trigger this vulnerability.

"Because devices running IOS may transmit traffic for a number of other networks, the secondary impacts of a denial of service may be severe," said US-Cert in its alert.

The third flaw reported by Cisco involves a mal-crafted IPv6 packet that could potentially crash IOS. Cisco notes in its advisory that it was initially reported by a customer and a further trigger vector was discovered during developing the fix for this vulnerability.

Cisco is providing fixes to its customers for all of the reported issues.

Article courtesy of internetnews.com

Share:
Home
Mobile Site | Full Site
Copyright 2017 © QuinStreet Inc. All Rights Reserved