This article is more than 1 year old

Sysadmins, here's your weekly Cisco bug-splat

IOS DoS and authentication bypass vulns patched

Cisco has patched a bag of bugs in its IOS and IOS XE software, with three denial-of-service bugs and one authentication bypass via SSH.

The SSHv2 bug, here, only works if the attacker comes armed with an RSA-configured user ID and public key.

Cisco's SSHv2 implementation then allows the attacker to log in with the privileges assigned to IOS's virtual teletype (VTY), which a sysadmin might (for example) have given admin rights.

The advisory says admins can check RSA user authentication for SSHv2 using the show running-config | begin ip ssh pupbkey-chain command.

Next on the list is an IPv4 NAT/MPLS bug, here.

Specific to IOS XE on ASR 1000, ISR 4300, ISR 4400 and Cloud Services 1000v routers, the bug forces a reload if an attacker sends the right IPv4 packet to the target.

Only devices with NAT and MPLS present on the same interface are vulnerable.

Wrapping up the list, there's a pair of IPv6 vulnerabilities associated with how IOS and IOS XE use neighbour discovery as a first-hop security feature.

From the advisory: “the IPv6 snooping feature bundles several Layer 2 IPv6 first-hop security features, including IPv6 neighbor discovery (ND) inspection, IPv6 device tracking, IPv6 address glean, and IPv6 binding table recovery. IPv6 ND inspection operates either at Layer 2, or between Layer 2 and Layer 3 to provide IPv6 features with security and scalability”.

The two bugs are:

  • A malformed packet sent to a device using the Cryptographically Generated Address (CGA) option will force a reload;
  • A flood of traffic consisting of specific IPv6 neighbour discovery packets will also DoS the target.

Patches have been released for all the bugs. ®

More about

TIP US OFF

Send us news


Other stories you might like