US-CERT: Cisco not the only victim of Unicode flaw |
 |
By Bill Brenner, Senior News Writer
15 May 2007 | SearchSecurity.com |
|
|
Updated May 16 to include other vendors affected by the Unicode vulnerability.
For the second time in less than a week, Cisco Systems is acknowledging a flaw in its security products. The latest problem is that digital miscreants could exploit an unpatched flaw in Cisco's Intrusion Prevention System (IPS) and Internetwork Operating System (IOS) with Firewall/IPS Feature Set to evade security restrictions and launch attacks. But unlike last week's IOS issue, this one hasn't been patched yet.
Cisco is not the only vendor affected. Researchers believe more than 90 security tools from different vendors may be at risk, and 3com Corp.'s TippingPoint division has confirmed it is among those affected.
The flaw was reported by the United States Computer Emergency Readiness Team (US-CERT) and originally discovered by researchers Fatih Ozavci and Caglar Cakici of Turkish security firm GamaSec. The researchers discovered that online outlaws could evade Cisco's IPS and firewall to secretly scan and attack targeted systems by encoding their attacks with a full-width or half-width Unicode character set.
No fix or workaround is currently available, Danish vulnerability clearinghouse Secunia noted in its advisory on the flaw.
The specific product versions affected by the flaw are Cisco Intrusion Prevention System (IPS) versions 4 and 5, and IOS versions 10, 11 and 12.
Last week, Cisco fixed a pair of flaws in its Internetwork Operating System (IOS) that attackers could exploit to cause a denial of service or tamper with data in a device's file system.
In that case, the IOS was improperly verifying user credentials within the FTP server. Remote attackers could exploit this to "bypass the authentication process and retrieve or write any file from the device file system (including the configuration file)," the networking giant warned. Also, an error in the FTP server surfaces when certain files are transferred. Remote attackers could use the error to cause a vulnerable device to reload, creating a denial-of-service condition.
The flaws affected Cisco IOS versions 11.3, 12.0, 12.1, 12.2, 12.3 and 12.4.
US-CERT said in its advisory that the flaw also appears to affect the security products of many other vendors, including Microsoft, McAfee, Juniper, Sourcefire and Symantec. Those vendors have not confirmed whether they are indeed affected, however. The US-CERT advisory offers a complete list of those who may be at risk.
|
