Cisco gigabit routers vulnerable to attack

Cisco has admitted that a defect in the software running on its Gigabit Switch Router family leaves them vulnerable to denial of service attacks.

There is no workaround to the problem and users are been urged to upgrade to unaffected versions of Cisco's Internet Operating System (IOS) software as soon as possible.

The defect, which affects gigabit ethernet and fast ethernet cards, may cause packets to be forwarded without correctly evaluating configured access control lists.

In a security notice, Cisco spelled out the serious impact the problem might have: "In addition to circumventing the access control lists, it is possible to stop an interface from forwarding any packets, thus causing a denial of service."

Peter Crowcombe, of Infonetics Research, said: "Using this, you could produce the same effect as a denial of service attack but with a pinpoint strike - you don't need to put agents on lots of devices."

"Most service providers would find out about denials of service using other tools, but this is significant for users and embarrassing for Cisco," said Crowcombe, who added there would be a "small window of vulnerability" for attacks while users grapple with the logistics and pre-testing involved with an upgrade.

The flaw is one of a number of security vulnerabilities in widely used Cisco products using common configurations that have come to light in recent months.

Paul Cronin, head of penetration testing at CenturyCom, said the latest problem is a severe enough threat to perimeter security that users should upgrade their router software as soon possible.

"This is definitely a risk. People attacking a network could modify access control lists to gain easier access through the box," he said.

Cisco said that due to the complex nature of the problem, of which it has received no reports of malicious exploitation, it is difficult to predict the exact results of any attacks that take advantage of the vulnerability.

"Under certain conditions it is possible to circumvent compiled access control lists with a moderate probability of success. A possible side-effect is that the attacked interface may stop forwarding packets without logging an error, requiring the card to be reset via software," the company said.

The flaw affects gigabit ethernet and fast ethernet cards on the 12008, 12012 and 12016 Gigabit Switch Routers, which are used in the backbones of large network or by service providers. The vulnerability can be addressed by upgrading to either Cisco IOS version 11.2(19)GS0.2 or one of several versions of 12.0.