More Cisco product vulnerabilities

28 January 2005
US-CERT issues warnings
By Brendan Sullivan, IDG news service

A leading security agency has warned that Cisco's router operating system, IOS, contains several vulnerabilities. United States Computer Emergency Readiness Team (US-CERT) said that the flaws could allow remote attackers to create denial of service (DoS) attacks.
It was more bad news for Cisco following the announcement of a vulnerability in its IOS Telephony Services earlier this week.
The warning from CERT followed the release of information on three separate vulnerabilities: one for Cisco products using Multi Protocol Label Switching (MPLS), a technology for increasing network traffic speed, another for Cisco products running IOS with IPv6, and the third for products running IOS with Border Gateway Protocol (BGP), a large network routing manager. All three vulnerabilities may have "severe" consequences if they go unfixed, said US-CERT, a division of the US Department of Homeland Security.
Although the vulnerabilities stem from different components of Cisco's products, they could all eventually result in the affected devices restarting unexpectedly, creating a denial of service, Cisco said.
Cisco announced the vulnerabilities publicly via its website, and is offering free, patched software for its customers from its online software centre, said John Noh, public relations manager at Cisco. "We discovered (the vulnerabilities) through routine testing, we made customers aware of it publicly, and we are now offering fixes," he said.
Cisco specified the product versions that are affected by the vulnerabilities on its website. Affected products running IOS with MPLS capability are: 2600 and 2800 series routers; 3600, 3700 and 3800 series routers; 4500 and 4700 series routers; and 5300, 5350 and 5400 series Access Servers. All products running IOS with IPv6 or BGP are vulnerable.
Cisco was unable to comment on how many customers would be affected by the vulnerabilities, although the company has not reported any cases of the vulnerabilities being exploited as of late Thursday.