Today Cisco announced patches to IOS that address denial of service vulnerabilities, and a bug that could allow malicious users access to VPNs.
According to a notice sent out by the company, versions of its Internetwork Operating System (IOS) configured to use the IOS Secure Shell Server (SSH) contain a pair of vulnerabilities that would allow malicious users to cause devices running IOS to exhaust their available resources, forcing a reload. Exploited enough times, the company warned, the vulnerability could cause a denial of service.
According to the notice posted on its site, the vulnerability affects "any Cisco device running an unfixed version of Cisco IOS that supports, and is configured to use, the SSH server functionality." The company said running the command show ip ssh would indicate to users whether or not SSH functionality is enabled on a given device, and also shows the version of SSH running on the device. The advisory indicates that one of the vulnerabilities affects only equipment using the SSH2 protocol, while both affect equipment running the SSH1 protocol.
A list of affected releases and update information is provided in the advisory
The second vulnerability Cisco reported today addresses an authentication issue in IOS that affects all Cisco devices running any version of Cisco IOS that supports, and is configured for, Cisco Easy VPN Server Xauth version 6 authentication.
According to the company's announcement, malformed packets sent to UDP port 500 of the IOS Easy VPN Server could permit an unauthorized user to complete authentication and gain access to network resources.
The vulnerability is the more obscure of the two reported today, to the extent it requires the attacker to know the VPN's shared group key in order to complete one step of a connection negotiation before the Xauth negotiation, where the vulnerability lies, takes place.
Affected versions of IOS are listed in the advisory on Cisco's site.