Cisco Reports Security Flaw In Routers, Switches

The vulnerability appears in the SNMP service that is part of Cisco's Internetwork Operating System (IOS), the OS that runs on most of the vendor's gear. SNMP is a protocol used to monitor and manage network devices.

Cisco recommended upgrades to non-vulnerable IOS releases and suggested a number of workarounds, encouraging customers to contact their solution provider partners for help with the fixes. Upgrades for customers with maintenance contracts are available through the Cisco Web site.

Due to the vulnerability, attempts by the software to process specific SNMP messages are handled incorrectly. As a result, the impacted device can experience memory corruption and may reload, according to a security advisory issued by Cisco, San Jose, Calif. Hackers could use the vulnerability remotely to cause devices to reload repeatedly, causing a DoS attack, the company said.

The vulnerability impacts at least seven IOS release trains, ranging from 12.0 to 12.3, Cisco said.

Cisco's security advisory followed an alert from US-CERT that warned of vulnerabilities in the TCP that allows remote attackers to terminate network sessions, which could lead to DoS conditions.

Cisco issued separate advisories regarding the TCP vulnerability, which it said affects all of its products, with recommended upgrades and workarounds.

Juniper Networks also said its products are susceptible to the vulnerability and has made software fixes available.

Other vendors, such as Hitachi and NEC, are investigating potential impact to their products, according to US-CERT's Web site.