Networking company Cisco has released a bundle of eight security advisories to highlight flaws in its IOS software.
The software is used in many of Cisco's routers and network switches, which are widely used in enterprises and support much of the structure of the internet. The bundle of security advisories, released on Wednesday, is concerned mainly with mitigating possible denial-of-service conditions caused by successful exploitation of TCP, UDP, Mobile IP and VPN vulnerabilities.
One of the advisories relates to multiple features of IOS being vulnerable to a denial-of-service attack, as an attacker sending a sequence of crafted TCP packets can cause Cisco devices to reload. A list specifying which software versions are vulnerable is available in the Cisco advisory cisco-sa-20090325-tcp. Vulnerable software includes recent releases such as 12.4XZ and 12.4YA.
Multiple features in IOS software are also affected by a crafted UDP vulnerability that could be used by an attacker to block data-packet transmission on Cisco devices. Most versions of IOS are vulnerable in this way, apart from the latest iterations of 12.4: 12.4YB and 12.4YD.
Cisco IOS software configured for Mobile IP and IPv6 could also suffer denial of service. Mobile IP and IPv6 allow host computing devices to retain an IP address if they move location or move between different networks. The Mobile IP Network Address Translation (NAT) Traversal feature of IOS software is vulnerable to denial of service should crafted packets be sent to a router. The latest iterations of 12.4 are not vulnerable.
Cisco IOS WebVPN and Cisco IOS SSLVPN both contain two vulnerabilities that can be remotely exploited without authentication to cause denial of service. Should the VPN software be sent crafted HTTPS packets, the device will crash, while the SSLVPN software is vulnerable to a memory leak that would also crash the device. Iterations 12.4YA, YB, and YD are not vulnerable.
Many of the advisories recommend that IT professionals upgrade to the latest versions of IOS software, either by downloading it from Cisco's Software Center or by obtaining the software updates through a contracted supplier. Fixes have also been provided for those organisations using legacy systems.