Cisco warns of DoS flaw in switches

Cisco is warning of a denial of service attack that affects certain models of switches in its Catalyst 4000, 5000 and 6000 lines.

After receiving eight connection attempts using a non-standard TCP flag combination, the switch will stop responding to further TCP connections to that particular service, effectively causing a denial of service.

The vulnerability affects only CatOS. Cisco said the CatOS for the Catalyst 4000 Series including models 2948G and 2980G/2980G-A, the Catalyst 5000 Series including models 2901, 2902 and 2926, and the Catalyst 6000 were affected.

The firm confirmed that, in order to re-establish functionality of that service, the switch must be rebooted as there is no available workaround. Cisco is offering free software upgrades to fix the problem.

The switch will continue to pass other switched traffic normally and the console is also not affected. Only the service to which connections were made will become unresponsive.

Cisco said that by exploiting this vulnerability, an attacker could prevent further use of the specified TCP-based service.

Depending on the configuration of the device, if SSH or Telnet are enabled and exploited the availability of those services could be affected, possibly resulting in a loss of management capability using those services.

UDP-based services such as Simple Network Management Protocol would still be available and unaffected.

Although the only solution is to reboot, it is possible to mitigate the exposure by configuring virtual local area network access control lists on the switch so that it will allow only legitimate hosts to connect to the desired services.

This must be combined with Unicast Reverse Path Forwarding, or some other anti-spoofing technique, on the network edge to protect against spoofed packets from outside the network.

Cisco said that the vulnerability was reported by a customer, but that it had received no reports of malicious use.

An advisory is available here.