Multiple Flaws Hound Cisco

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

A week after Cisco reported a vulnerability in its Internetwork Operating System (IOS) Software Embedded Call Processing Solutions, the company has, thrice again, been hit.

A trio of potential Denial-of-Service (DoS) vulnerabilities has been reported in the IOS that involves issues with the way it handles Multi Protocol Label Switching (MPLS) packet processing, IPv6 and the Border Gateway Protocol . Though the root cause is different for each of the vulnerabilities, the potential end result is the same.

In each case the vulnerability could potentially be exploited to cause the device that uses the Cisco IOS to reload, which could lead to a sustained DoS condition.

"Since devices running IOS may transit traffic for a number of other networks, the secondary impacts of a Denial of Service may be severe," the US-CERT advisory states.

The MPLS vulnerability allows improperly formed MPLS packets to cause the device reload. MPLS is a vendor-independent protocol for integrating layer 2 information into layer 3. Cisco notes in its advisory that routers running the IOS that support MPLS are vulnerable to a DoS attack on MPLS-disabled interfaces.

The flaw affects products that support MPLS running a vulnerable version of IOS:

  • 2600 and 2800 series routers;
  • 3600, 3700 and 3800 series routers;
  • 4500 and 4700 series routers; and
  • 5300, 5350 and 5400 series Access Servers.

The IPv6 vulnerability is exploited by "crafted" IPv6 packets.

The vulnerability affects both logical and physical Cisco interfaces running a vulnerable version of the IOS that are configured for IPv6. The vulnerability is also exploited even if IPv6 is not running globally.

"A router that has IPv6 enabled on a physical or logical interface is vulnerable to this issue even if IPv6 unicast routing is globally disabled," the Cisco advisory states.

The BGP packet vulnerability, like the MPLS and IPv6 vulnerabilities,is rooted in a malformed packet issue. The malformed packets may not necessarily come from a malicious source, according to Cisco's advisory. Also, the bug may be triggered by other means that are not considered remotely exploitable.

"Malformed packets may not come from malicious sources; a valid peering device such as another BGP speaking router which produces the specific malformed packet in error may trigger this behavior," the advisory states.

The BGP flaw affects any unfixed version of the Cisco IOS (Including 9.x, 10.x, 11.x and 12.x) running on a device configured for BGP routing running with a particular command (bgp log-neighbor-changes).

Cisco has published workarounds and patches for all of the issues, and they're available via normal Cisco update channels.