Cisco Patches Denial-of-Service, Bypass Vulnerabilities in IOS
Cisco pushed out on Wednesday its usual semiannual round of patches for IOS, the software the company uses for most of its routers and switches.
This month’s security advisories addressed four vulnerabilities, three which could lead to denial of service situations, and another that could have let an attacker bypass user authentication.
The bypass vulnerability stemmed from an improper implementation of the SSH version 2 protocol on IOS and IOS XE software. If exploited, an attacker – assuming they knew a legitimate username configured for RSA-based user authentication, and the public key for the user – could log in with the privileges of that user. Cisco stresses that this is merely a bypass vulnerability in IOS, not a situation where the attacker would be able to escalate privileges.
Since the bug only affects RSA user authentication, endusers could disable the functionality to mitigate it, or simply apply the patch.
The denial of service vulnerabilities largely stem from issues in IPv4 and IPv6 is handled by the software.
One is the result of improper processing of IPv4 packets that require Network Address Translation (NAT) and Multiprotocol Label Switching (MPLS) processing – if an unauthenticated, remote attacker sent the right IPv4 packet they could cause a device reload. Another two are in the IPv6 snooping security feature in IOS and IOS XE – if attackers sent a malformed packet, or a flood of traffic, they could also cause a device to reload.
The patches are the first for the software in six months, as Cisco patches IOS in bundles, twice a year, in March and September.
Last month the company warned its enterprise customers that attackers were attempting to exploit IOS devices. Hackers weren’t exploiting any specific vulnerability, they were apparently using valid credentials, uploading malicious ROMMON images, and gaining persistent access to the devices.