Cisco Patches Critical IOS Vulnerabilities

The most serious of the IOS flaws can be triggered by sending a specially rigged packet directly to a switch or router, which would cause the device to reload and possibly pave the way for malicious code execution, according to a Cisco advisory Wednesday.

Attackers can exploit the flaw through Internet Control Message Protocol (ICMP) packets, Protocol Independent Multicast version 2 (PIMv2) packets, Pragmatic General Multicast (PGM) packets, or URL Rendezvous Directory (URD) packets that contain an altered IP option in the packet's IP header, the San Jose, Calif.-based vendor said.

Gary Berzack, CTO of eTribeca, a New York-based solution provider and Cisco partner, says many companies don't pay attention to critical updates, which is especially dangerous when it comes to vulnerabilities in widely deployed software such as IOS.

"We see IOS updates all the time, but when we go in and get a glimpse of companies security devices, we often find they haven't updated IOS in over a year," Berzack said.

All devices running all unpatched versions of Cisco IOS and Cisco IOS XR software are vulnerable. However, the flaw only affects devices configured to process IPv4 packets; those running only IPv6 aren't affected, according to Cisco, which assigned a CVSS base score of 10 out of 10 to the flaw.

In a separate advisory, Cisco said it has patched a flaw that affects only IOS systems set up to run IPv6, which isn't enabled by default. Attackers could exploit this vulnerability by getting IOS to process rigged IPv6 Type 0 Routing headers, which are used for source routing, a method for specifying the exact path that a packet must take to reach the destination, Cisco said.

In the best case scenario, a successful exploit will cause the router to crash, with repeated crashes creating a denial of service situation. However, because the flaw can lead to memory corruption, it could possibly be leveraged to allow remote attackers to execute malicious code, according to the advisory.

In addition, because the vulnerability exists on the IP layer, it can be triggered by any type of packet, including a spoofed packet, said Cisco, which assigned a CVSS base score of 10 out of 10 to the flaw.

This particular vulnerability affects every version of IOS ever built and has the potential to be easily exploitable, said Chris Labatt-Simon, president and CEO of D&D Consulting, an Albany, N.Y.-based solution provider. "IOS is a very large piece of code, and any large piece of code is more vulnerable than a small piece of code," he said.

However, all vendors have to deal with the problem of some organizations failing to update their products when vulnerabilities are patched, which is the main danger in this scenario, Labatt-Simon noted.

Cisco also patched a bug in the TCP listener component found in certain versions of IOS. The remotely exploitable memory leak could enable attackers to launch denial of service attacks against devices running IOS, but Cisco gave it a CVSS base score of 3.3 out of 10.