Security checks crash Cisco routers

Red-faced networking giant Cisco has been forced to warn customers that its routers can crash when tested for security vulnerabilities by security scanning software programs.

The defect, due to a fault in Cisco's IOS (Internet Operating System) software, can be exploited repeatedly to produce a consistent denial of service (DoS) attack, Cisco has admitted. The defect first came to light two months ago but is still an issue in the field, so Cisco has issued a reminder to customers.

Cisco customers using the affected IOS software releases - which include 11.3AA, and a number of 12.0 releases up to and including 12.0(6) - are urged to upgrade as soon as possible to later versions, which are not vulnerable to the defect.

Richard Stagg, senior security architect at Information Risk Management, said Cisco is blaming security tools when the problem is far wider.

"Cisco is obfuscating the fact that its routers have a weakness to denial of service attacks," said Stagg. "The idea that these denial of service attacks can be triggered by security scans is even more embarrassing."

The DoS aspect of the flaw was discovered by several different Cisco customers while they were conducting security scans of their networks. However, Cisco said it has still received no reports of malicious exploitation of the flaw.

Cisco's advisory states: "The described defect can be used to mount a consistent and repeatable denial of service attack on any vulnerable Cisco product, which may result in violations of the availability aspects of a customer's security policy. This defect by itself does not cause the disclosure of confidential information nor allow unauthorised access."

The flaw in IOS is exposed when unspecified security scanners test for the presence of two specific vulnerabilities that affect certain Unix-based systems. These vulnerabilities are unrelated to Cisco IOS software. However, a side effect of the tests means that a router can crash without warning.

During the test, the scanning program invokes the Telnet Environ option, #36, before the router is ready to accept it. This causes the router to reset itself unexpectedly.

In lieu of a software upgrade, Cisco has also detailed workarounds. These involve setting up an interactive log-in capability without using the Telnet service, thus mitigating the threat.

This vulnerability affects a wide range of Cisco's hardware line including series access servers, routers, access products and voice gateway products running vulnerable software.