Cisco routers on crash course

Cisco has urged users to disable web based management of its routers after a serious, and as yet unfixed vulnerability that could allow hackers to crash networks came to light.

The defect, which only affects routers, is present in any image that supports management of the router via the web from IOS (Internet Operating System) release 11.1 and all later releases.

Cisco, which is working on the problem, said that unless a router is protected from this attack via firewalls or access control lists, a workaround disabling web based management should be put in place "as soon as possible".

"If web based management of a Cisco router has been enabled, it is possible for anyone that can browse to that router's management web page to cause the router to crash and not reload," said Jim Duncan, Cisco's product security incident manager.

Peter Crowcombe, of analysts Infonetics Research, said the vast majority of internet gateways would use Cisco routers with affected software, because version 11 of IOS was released some time ago. "Anybody with the specific skill set, and there will be many out there, could target someone to bring them down," he said.

Crowcombe added that the suggested workaround disabling web management, would also be unacceptable to many. "Users will either have to disable their ability to manage their routers in their chosen way, or else face the prospect of having a router crash and not come up," he said.

The problem is the latest in an embarrassing string of security problems to affect Cisco. Last month it admitted that there was a defect in the way its routers handled the Telnet remote access protocol. This could cause a Cisco router to reload unexpectedly when tested for security vulnerabilities by security scanning software programs.

The defect, which can be fixed by using later versions of IOS, can be exploited repeatedly to produce a consistent denial of service attack.