Cisco has issued a fix for a high-risk security hole in its Internetwork Operating System (IOS), which attackers could exploit to cause a denial of service or launch malicious code. Since IOS runs on the San Jose, Calif.-based networking giant's routers and switches -- a significant part of the Internet's infrastructure -- Cupertino, Calif.-based antivirus giant Symantec has raised its global threat index to Level 2.
"Given the recent attention to exploitation of vulnerabilities in Cisco's IOS it is possible that this issue will see attempts at exploit development in the near term," Symantec researchers wrote in an alert to its DeepSight Threat Management System customers.
In its advisory, Cisco said its IOS software "is vulnerable to a denial of service and potentially an arbitrary code execution attack when processing the user authentication credentials from an Authentication Proxy Telnet/FTP session. To exploit this vulnerability an attacker must first complete a TCP connection to the IOS device running affected software and receive an auth-proxy authentication prompt."
Devices running the following release trains of Cisco IOS are affected if Firewall Authentication Proxy for FTP and/or Telnet Sessions is configured and applied to an active interface:
- 12.2ZH and 12.2ZL based trains
- 12.3 based trains
- 12.3T based trains
- 12.4 based trains
- 12.4T based trains
"To determine the software running on a Cisco product, log in to the device and issue the show version command to display the system banner," Cisco said. "Cisco IOS software will identify itself as 'Internetwork Operating System Software' or simply 'IOS.' On the next line of output, the image name will be displayed between parentheses, followed by 'Version' and the Cisco IOS release name. Other Cisco devices will not have the show version command, or will give different output."
The advisory outlines fixes available to those who are affected.
Symantec's advisory offered the following suggestions:
- Block external access at the network boundary, unless service is required by external parties.
- Block external access to the device if possible. Only allow connections from trusted hosts and networks.
- Deploy network intrusion detection systems to monitor network traffic for malicious activity.
- Examine IDS logs regularly for signs of attempted exploitation.