nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Cisco squeezes out massive patch dump

Order some pizza and put in for overtime, netadmins, this could be a long night

By Richard Chirgwin, 29 Sep 2016

Cisco's issued 18 patch notices.

Let's start with the OpenSSL fix, because it affects the largest number of devices.

This implements both OpenSSL's September 22 patches, and the September 26 patch that patched bugs introduced in the first patch.

Switchzilla's routing operating systems are going to present sysadmins with the greatest amount of work, with ten vulnerabilities across various versions announced.

Stuff that's been patched

Cisco IOS and IOS XE Software have a vulnerability in SSH login to its “Authentication, Authorisation and Accounting” (AAA) service.

An attacker can cause a DoS by trying to log into the target device, if AAA is configured to log failed attempts. The fix is here.

Cisco IOS XE needs a separate patch for a NAT DoS vuln: trying to process a malformed ICMP packet crashes the NAT process.

If an attacker can intercept a client DNS query and send back a crafted response, it can crash affected IOS and IOS XE versions.

IOS and IOS XE get a vulnerable implementation of the Common Industrial Protocol (CIP); once again, a crafted message can crash the victim.

Both OSs are also vulnerable to crafted, fragmented IKE v1 packets; and both can be crashed by sending crafted H.323 messages.

The IPDR – IP Detail Record – implementation in IOS and IOS XE is also vulnerable to a crafted-packet attack. IPDR is a field used by telco operational support systems to collect service usage data.

IOS XE on 64-bit platforms can be downed by crafted IPv4 fragments.

IOS and IOS XE have a couple of multicast bugs which need patching.

Stuff that's not been patched

IOS XR has a bug in its Open Shortest Path First (OSPF) implementation; so far, there is no patch or workaround.

If you've got FTP enabled on a Cisco AsyncOS-based e-mail appliance, turn it off, because attackers flooding the FTP service can crash the device.

But wait, there's more!

The IronPort AsyncOS e-mail appliance OS vuln discovered last week now has a patch: Cisco's killed the internal test/debug interface that shipped with the OS.

There are also three fixes for its Firepower management centre, covering respectively SQL injection, privilege escalation and cross-site request forgeries.

Order in the pizza, sysadmins, it might be a long night. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing