Cisco DoS warning: Patch these 13 high-severity holes in IOS, IOS XE now

Cisco has fixes in its September bundle for over a dozen denial-of-service security flaws.
Written by Liam Tung, Contributing Writer

Admins can now grab Cisco's updates for 13 high-severity flaws affecting gear that uses its IOS and IOS XE networking software.

All the bugs have been rated as having a high security impact because they could be used to gain elevated privileges or jam a device with denial-of-service (DoS) attacks.

The company also has fixes available for 11 more flaws outlined in 10 advisories with a medium-severity rating, most of which also address issues in IOS and IOS XE, the Linux-based train of Cisco's popular networking operating system.

The updates for the 13 high-severity IOS and IOS XE flaws are part of Cisco's scheduled twice-yearly patch bundle for this software targeted for September.

September has been a busy month of patching for Cisco. The company reported this week that some IOS XE releases were among 88 Cisco products vulnerable to the DoS attack on Linux systems known as FragmentSmack.

SEE: Cybersecurity in an IoT and mobile world (ZDNet special report) | Download the report as a PDF (TechRepublic)

And earlier this month it plugged a critical hard-coded password bug in its video surveillance software.

None of the flaws in the latest advisory is known to have been used in attacks and Cisco isn't aware of any public disclosures.

Some of the higher severity flaws include a DoS flaw affecting the IOS XE Web UI, which could allow a remote attacker to trigger a reload of the device by sending special HTTP requests to the UI.

An unauthenticated attacker could exploit this bug in IOS XE releases prior to 16.2.2, while 16.2.2 and later require authentication.

Another DoS flaw is rooted in the IPsec driver code of multiple Cisco IOS XE platforms and the Cisco ASA 5500-X Series Adaptive Security Appliance (ASA). The buggy code improperly processes malformed IPsec Authentication Header (AH) or Encapsulating Security Payload (ESP) packets.

"An attacker can exploit this vulnerability by using a crafted ESP or AH packet that meets several other conditions, such as matching the IPsec SA SPI and being within the correct sequence window," notes Cisco.

SEE: 10 ways to raise your users' cybersecurity IQ (free PDF)

This flaw affects six ASR 1000 Series Aggregation Services Routers, and two 4000 Series Integrated Routers.

Cisco notes that its software is affected if the system has been modified from its default state and configured to terminate IPsec VPN connections, such as LAN-to-LAN VPN, and remote access VPN, but not SSL VPN.

Three ASA appliances are affected from Cisco's ASA 5500-X Series Adaptive Security Appliances, again if they've been configured to terminal IPsec VPN connections.

Yet another DoS flaw affecting both IOS and IOS XE Software can be exploited by sending malicious IPv6 packets to an affected device.

Previous and related coverage

Cisco: Linux kernel FragmentSmack bug now affects 88 of our products

Cisco's list of products with a Linux kernel denial-of-service flaw is growing.

Cisco: We've killed another critical hard-coded root password bug, patch urgently

This time a 9.8/10-severity hardcoded password has been found in Cisco's video surveillance software.

Cisco critical flaw warning: These 10/10 severity bugs need patching now

Cisco's software for managing software-defined networks has three critical, remotely exploitable vulnerabilities.

Cisco patches critical Nexus flaws: Are your switches vulnerable?

You'll need to wade through Cisco's advisories to work out if software you're running is vulnerable or already fixed.

Cisco: Update now to fix critical hardcoded password bug, remote code execution flaw

Cisco patches two serious authentication bugs and a Java deserialization flaw.

Cisco warns customers of critical security flaws, advisory includes Apache Struts

The massive security update includes a patch for the recently-disclosed Apache bug -- but not all products will be fixed yet.

Cisco updates ASR 9000 edge routing platform to carry users to 5G, multicloud world TechRepublic

New automation software, a new networking processor, and a new operating system will help Cisco customers make the transition to next-generation networking.

Apple and Cisco pool their might to shield companies from cyber risks CNET

Apple and Cisco join forces to protect businesses from risk of cyber threats.

Editorial standards