Red-faced networking giant Cisco has been forced to warn customers that its routers can crash when tested for security vulnerabilities by security scanning software programs.
vnunet.com, 26 Jun 2000
Red-faced networking giant Cisco has been forced to warn customers that its routers can crash when tested for security vulnerabilities by security scanning software programs.
The defect, due to a fault in Cisco's IOS (Internet Operating System) software, can be exploited repeatedly to produce a consistent denial of service (DoS) attack, Cisco has admitted. The defect first came to light two months ago but is still an issue in the field, so Cisco has issued a reminder to customers.
Cisco customers using the affected IOS software releases - which include 11.3AA, and a number of 12.0 releases up to and including 12.0(6) - are urged to upgrade as soon as possible to later versions, which are not vulnerable to the defect.
Richard Stagg, senior security architect at Information Risk Management, said Cisco is blaming security tools when the problem is far wider.
"Cisco is obfuscating the fact that its routers have a weakness to denial of service attacks," said Stagg. "The idea that these denial of service attacks can be triggered by security scans is even more embarrassing."
The DoS aspect of the flaw was discovered by several different Cisco customers while they were conducting security scans of their networks. However, Cisco said it has still received no reports of malicious exploitation of the flaw.
Cisco's advisory states: "The described defect can be used to mount a consistent and repeatable denial of service attack on any vulnerable Cisco product, which may result in violations of the availability aspects of a customer's security policy. This defect by itself does not cause the disclosure of confidential information nor allow unauthorised access."
The flaw in IOS is exposed when unspecified security scanners test for the presence of two specific vulnerabilities that affect certain Unix-based systems. These vulnerabilities are unrelated to Cisco IOS software. However, a side effect of the tests means that a router can crash without warning.
During the test, the scanning program invokes the Telnet Environ option, #36, before the router is ready to accept it. This causes the router to reset itself unexpectedly.
In lieu of a software upgrade, Cisco has also detailed workarounds. These involve setting up an interactive log-in capability without using the Telnet service, thus mitigating the threat.
This vulnerability affects a wide range of Cisco's hardware line including series access servers, routers, access products and voice gateway products running vulnerable software.
Cisco Systems has made known a potentially devastating security vulnerability in its operating system software that could allow an attacker to intercept and modify traffic going to and from routers and switches.
Cisco has released a security advisory for its Arrowpoint switch, revealing that non-privileged users can either force a denial of service attack on the hardware or view files to which they do not have access rights.
Cisco has been forced to alert users to a potentially devastating problem with its firewall product only days after launching a new security programme.
Cisco has admitted that a defect in the software running on its Gigabit Switch Router family leaves them vulnerable to denial of service attacks.
First Looks Editor Ian Williams gets hands on with the Sony Ericsson Xperia X1
Surviving veterans of the code-breaking facility to receive badge of...
Telco begins major rollout in 69 locations across the UK
Do you agree?
Have your say on this article