March 25th, 2009

Cisco IOS patch day covers multiple vulnerabilities

Posted by Ryan Naraine @ 5:18 pm

Categories: Arbitrary Code Execution, Botnets, Browsers, Cisco, Data theft, Denial of Service (DoS), Exploit code, Locally Running Web Servers, Passwords, Patch Watch, Pen testing, Responsible disclosure, Vulnerability research

Tags: Denial Of Service, Cisco IOS, Device, Cisco IOS Software, Vulnerability, Cisco Systems Inc., Security, Ryan Naraine

Cisco has shipped a batch of patches to cover multiple vulnerabilities affecting IOS, the software that powers the vast majority of Cisco’s routers and switches.

In all, the company released 8 separate advisories with warnings for information disclosure, privilege escalation, denial-of-service vulnerabilities. The raw details:

• Advisory #1: Several features within Cisco IOS Software are affected by a crafted UDP packet vulnerability. If any of the affected features are enabled, a successful attack will result in a blocked input queue on the inbound interface. Only crafted UDP packets destined for the device could result in the interface being blocked, transit traffic will not block the interface.
• Advisory #2: Cisco IOS Software contains a vulnerability in multiple features that could allow an attacker to cause a denial of service (DoS) condition on the affected device. A sequence of specially crafted TCP packets can cause the vulnerable device to reload.
• Advisory #3: A vulnerability in the handling of IP sockets can cause devices to be vulnerable to a denial of service attack when any of several features of Cisco IOS Software are enabled. A sequence of specially crafted TCP/IP packets could cause any of the following results:
  • The configured feature may stop accepting new connections or sessions.
  • The memory of the device may be consumed.
  • The device may experience prolonged high CPU utilization.
  • The device may reload.
• Advisory #4: Cisco IOS software contains two vulnerabilities within the Cisco IOS WebVPN or Cisco IOS SSLVPN feature (SSLVPN) that can be remotely exploited without authentication to cause a denial of service condition. Both vulnerabilities affect both Cisco IOS WebVPN and Cisco IOS SSLVPN features:
  • Crafted HTTPS packet will crash device.
  • SSLVPN sessions cause a memory leak in the device.
• Advisory #5: Devices that are running Cisco IOS Software and configured for Mobile IP Network Address Translation (NAT) Traversal feature or Mobile IPv6 are vulnerable to a denial of service (DoS) attack that may result in a blocked interface.
• Advisory #6: The server side of the Secure Copy (SCP) implementation in Cisco IOS software contains a vulnerability that could allow authenticated users with an attached command-line interface (CLI) view to transfer files to and from a Cisco IOS device that is configured to be an SCP server, regardless of what users are authorized to do, per the CLI view configuration. This vulnerability could allow valid users to retrieve or write to any file on the device’s file system, including the device’s saved configuration and Cisco IOS image files, even if the CLI view attached to the user does not allow it. This configuration file may include passwords or other sensitive information.
• Advisory #7: A vulnerability exists in the Session Initiation Protocol (SIP) implementation in Cisco IOS Software that can be exploited remotely to cause a reload of the Cisco IOS device.
• Advisory #8: A series of TCP packets may cause a denial of service (DoS) condition on Cisco IOS devices that are configured as Easy VPN servers with the Cisco Tunneling Control Protocol (cTCP) encapsulation feature.

* Image source: Webhamster’s Flickr photostream (Creative Commons 2.0)