Home > Security News > Cisco warns of new IOS flaws
Security News:
EMAIL THIS LICENSING & REPRINTS

Cisco warns of new IOS flaws

By Robert Westervelt and Bill Brenner, SearchSecurity.com Staff
22 May 2007 | SearchSecurity.com

Security Wire Daily News
Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google

Cisco has issued a warning to customers about a flaw in its IOS device that if exploited by an attacker could crash while processing malformed Secure Sockets Layer (SSL) packets. The networking giant also warned that a third-party program flaw threatens IOS users.

Cisco said in its advisory that the vulnerabilities in its IOS device could be exploited by sending malformed packets during the SSL protocol exchange with the vulnerable device. Cisco also released a fix for the flaws.

The flaws are in the device that process ClientHello messages, ChangeCipherSpec messages, and finished messages. The vulnerabilities affect all Cisco devices running Cisco IOS software configured to use the SSL protocol.

Cisco classified the vulnerabilities as "low" but said a successful exploitation may result in the crash of the affected device or a sustained DoS condition.

"Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device," Cisco said. "These vulnerabilities are not believed to allow an attacker to decrypt any previously encrypted information."

Cisco also warned of a third-party flaw affecting its products, including IOS.

"A vulnerability has been discovered in a third-party cryptographic library which is used by a number of Cisco products," the company said in an advisory. "This vulnerability may be triggered when a malformed Abstract Syntax Notation One (ASN.1) object is parsed. Due to the nature of the vulnerability it may be possible, in some cases, to trigger this vulnerability without a valid certificate or valid application-layer credentials (such as a valid username or password)."

Successful repeated exploitation of any of these vulnerabilities may lead to a sustained denial of service, Cisco said. However, it added, "the vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker to decrypt any previously encrypted information."

The vulnerable cryptographic library is used in Cisco IOS, Cisco IOS XR; Cisco PIX and ASA Security Appliances; Cisco Firewall Service Module (FWSM); and Cisco Unified CallManager.



Tags: Network Device ManagementNetwork Routers and SwitchesNetwork FirewallsVIEW ALL TAGS

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google




More Tips to Secure Your Network
Focused on Channel Security?
TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2003 - 2008, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts