Article

Cisco warns of new IOS flaws

Robert Westervelt, News Director

Cisco has issued a warning to customers about a flaw in its IOS device that if exploited by an attacker could crash while processing malformed Secure Sockets Layer (SSL) packets. The networking giant also warned that a third-party program flaw threatens IOS users.

Cisco said in its advisory

    Requires Free Membership to View

that the vulnerabilities in its IOS device could be exploited by sending malformed packets during the SSL protocol exchange with the vulnerable device. Cisco also released a fix for the flaws.

The flaws are in the device that process ClientHello messages, ChangeCipherSpec messages, and finished messages. The vulnerabilities affect all Cisco devices running Cisco IOS software configured to use the SSL protocol.

Cisco classified the vulnerabilities as "low" but said a successful exploitation may result in the crash of the affected device or a sustained DoS condition.

"Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device," Cisco said. "These vulnerabilities are not believed to allow an attacker to decrypt any previously encrypted information."

Cisco also warned of a third-party flaw affecting its products, including IOS.

"A vulnerability has been discovered in a third-party cryptographic library which is used by a number of Cisco products," the company said in an advisory. "This vulnerability may be triggered when a malformed Abstract Syntax Notation One (ASN.1) object is parsed. Due to the nature of the vulnerability it may be possible, in some cases, to trigger this vulnerability without a valid certificate or valid application-layer credentials (such as a valid username or password)."

Successful repeated exploitation of any of these vulnerabilities may lead to a sustained denial of service, Cisco said. However, it added, "the vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker to decrypt any previously encrypted information."

The vulnerable cryptographic library is used in Cisco IOS, Cisco IOS XR; Cisco PIX and ASA Security Appliances; Cisco Firewall Service Module (FWSM); and Cisco Unified CallManager.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: