Malicious code targets earlier Cisco flaws

Networking giant Cisco is warning users to upgrade software following the release of proof-of-concept code that exploits vulnerabilities in a number of its products.

In a statement the company said: "Proof-of-concept code has been publicly released by an external group that exploits multiple previous vulnerabilities in various Cisco products."

It warns that customers should take steps to ensure they have addressed each of the vulnerabilities "either via a software upgrade or workarounds" in order to mitigate any risk from this new exploit code.

The company said that fixes have been released for all problems except the web administration denial of service in the Cisco 675.

The malicious code is reported to be able to exploit the following flaws in Cisco products:

• Cisco 677/678 telnet buffer overflow vulnerability
• Cisco IOS router denial of service vulnerability
• Cisco IOS HTTP authorisation vulnerability
• Cisco IOS HTTP configuration arbitrary administrative access vulnerability
• Cisco Catalyst SSH protocol mismatch denial of service vulnerability
• Cisco 675 web administration denial of service vulnerability
• Cisco Catalyst 3500 XL remote arbitrary command vulnerability
• Cisco IOS software HTTP request denial of service vulnerability
• Cisco 514 UDP flood denial of service vulnerability

More information is available from Cisco here.