Cisco warns of DoS flaw in IOS

Cisco has issued a security warning detailing a potentially serious flaw which could allow hackers to run denial of service attacks against customers using network equipment running the firm's IOS platform.

Vulnerable devices running IOS enabled for the Border Gateway Protocol (BGP) can be attacked with a malformed BGP packet, the networking giant warned.

The vulnerability is present in any unfixed version of Cisco IOS, from the beginning of support for the BGP protocol, including versions 9.x, 10.x, 11.x and 12.x. However, only devices with the command 'bgp log-neighbor-changes' configured are at risk.

The BGP protocol is not enabled by default, and must be configured in order to accept traffic from an explicitly defined peer. Unless the malicious traffic appears to be sourced from a configured trusted peer, it would be difficult to inject a malformed packet, Cisco stated.

"A Cisco device receiving an invalid BGP packet will reset and may take several minutes to become fully functional. This vulnerability may be exploited repeatedly resulting in an extended DoS attack," a Cisco advisory warned.

"This bug may also be triggered by other means which are not considered remotely exploitable. The use of the commands show 'ip bgp neighbors' or 'debug ip bgp' [neighbour] updates can cause a router to reload if a router has previously queued a malformed packet.

"If there are no queued malformed packets, issuing these commands will have no harmful side effects."

Cisco advised users to check the version of IOS software running by logging into the device and using the 'show version' command to display the system banner.

IOS software will identify itself as 'Internetwork Operating System Software' or IOS. On the next line of output, the image name will be displayed between brackets, followed by 'Version' and the IOS release name.

Cisco has made free software available to address this problem which can be downloaded here.