Cisco patches latest IOS security hole

Attackers could exploit the flaw to bypass command authorization checks and gain escalated user privileges. It affects IOS version 12.0T or later.

Cisco Systems Inc. has issued a patch for its Internetwork Operating System (IOS), closing a security hole attackers could use to bypass command authorization checks and gain escalated user privileges.

The vulnerability exists within the IOS Authentication, Authorization, and Accounting (AAA) command authorization feature, "where command authorization checks are not performed on commands executed from the Tool Command Language (Tcl) exec shell," Cisco said in its advisory. "This may allow authenticated users to bypass command authorization checks in some configurations, resulting in unauthorized privilege escalation."

More on IOS

Cisco warns of IOS, OpenSSL flaws

Cisco patches IOS flaw

Cisco IOS flaw prompts Symantec to raise threat level

Researcher causes furor by releasing flaw in Cisco IOS

The vulnerability affects IOS version 12.0T or later. Cisco said devices that don't run the AAA command authorization feature or don't support Tcl functionality are not affected by the flaw.

The San Jose, Calif.-based networking giant also warned that an authenticated user is automatically placed into the Tcl shell mode if a previous user goes into Tcl shell mode and terminates the session before leaving the Tcl shell mode. This could exacerbate the vulnerability, the company said.

The patch is the latest in a series of steps Cisco has taken to address security holes in the past week.

It patched two security holes in CallManager -- the software-based call-processing component of its IP telephony products -- and offered workarounds for a glitch in the (IOS) HTTP Server.

Dig deeper on Network Device Management

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close