Cisco Releases Security Patch Bundle, Including Fixes For Three Critical IOS And IOS XE Vulnerabilities
Cisco Systems released a bundle of almost three dozen patches Thursday, three of which close critical security gaps in the networking software that powers many of its routers and switches.
The most serious vulnerability addressed in Cisco's semi-annual patch release involves an exploit to the IOS and IOS XE software that takes advantage of the Smart Install feature for rapidly deploying the networking operating systems.
That flaw, which won researcher Embedi an award for discovering it at the GeekPWN 2017 Hong-Kong contest, makes it possible for an attacker to shut down switches and routers over the Internet. Embedi, in a quick scan, found 250,000 vulnerable devices, with millions more potentially affected.
Cisco's client software improperly validates packet data, allowing a clever attacker to send a Smart Install message that would overflow the buffer, the researcher discovered.
Such a malicious message could force the device to reload, allow execution of malicious code, or cause an indefinite loop triggering a crash, according to the Cisco Security Advisory on the topic.
Customers should immediately patch their network devices since no workarounds are currently available, Cisco said.
Smart Install is essentially a plug-and-play feature for quickly deploying new devices onto networks. It automates configuration and the loading of the operating system.
Any Cisco network equipment with an open TCP 4786 port is vulnerable to attack.
Embedi at first thought the exploit it discovered would only work for a hacker with access to a local network. It quickly realized that wasn't the case by conducting a scan of the Internet.
Cisco also released patches for two more bugs the company found in the IOS XE software. One allows an attacker to use an undocumented user account to remotely connect to devices; the other remote code execution through an IOS subsystem.
Last June, the San Jose, Calif.-based networking leader revamped IOS software "for the digital age," said David Goeckeler, senior vice president and general manager of networking and security, in a statement.
"Our [new IOS] is open, it's API-driven, it's programmable, it's modular, it allows our customers to extend it to interconnect in an API world," Goeckeler said. "This is going to drive intent-driven networking for the next 30 years."