Cisco squeezes out massive patch dump
Order some pizza and put in for overtime, netadmins, this could be a long night
Cisco's issued 18 patch notices.
Let's start with the OpenSSL fix, because it affects the largest number of devices.
This implements both OpenSSL's September 22 patches, and the September 26 patch that patched bugs introduced in the first patch.
Switchzilla's routing operating systems are going to present sysadmins with the greatest amount of work, with ten vulnerabilities across various versions announced.
Stuff that's been patched
Cisco IOS and IOS XE Software have a vulnerability in SSH login to its “Authentication, Authorisation and Accounting” (AAA) service.
An attacker can cause a DoS by trying to log into the target device, if AAA is configured to log failed attempts. The fix is here.
Cisco IOS XE needs a separate patch for a NAT DoS vuln: trying to process a malformed ICMP packet crashes the NAT process.
If an attacker can intercept a client DNS query and send back a crafted response, it can crash affected IOS and IOS XE versions.
IOS and IOS XE get a vulnerable implementation of the Common Industrial Protocol (CIP); once again, a crafted message can crash the victim.
The IPDR – IP Detail Record – implementation in IOS and IOS XE is also vulnerable to a crafted-packet attack. IPDR is a field used by telco operational support systems to collect service usage data.
IOS XE on 64-bit platforms can be downed by crafted IPv4 fragments.
IOS and IOS XE have a couple of multicast bugs which need patching.
Stuff that's not been patched
IOS XR has a bug in its Open Shortest Path First (OSPF) implementation; so far, there is no patch or workaround.
If you've got FTP enabled on a Cisco AsyncOS-based e-mail appliance, turn it off, because attackers flooding the FTP service can crash the device.
But wait, there's more!
The IronPort AsyncOS e-mail appliance OS vuln discovered last week now has a patch: Cisco's killed the internal test/debug interface that shipped with the OS.
Order in the pizza, sysadmins, it might be a long night. ®