Cisco has revealed a number of flaws in the operating system running on the majority of its switches and routers that could ultimately be exploited in denial-of-service (DoS) attacks.
In many cases the flaws do not have temporary workarounds, forcing administrators to quickly update to patched software or remain vulnerable.
The company released advisories on several vulnerabilities in its IOS software overnight, following internal testing it had been conducting. IOS, not to be confused with Apple's iOS, is the operating system that runs on the majority of Cisco's routers and network switches. Cisco has released software updates to fix the issues, but there are only limited options for those who don't want to use the patch immediately. While Cisco often provides temporary workarounds that can be used while administrators make preparations to update their software, in this case there are no workarounds for the newly released vulnerabilities, or the workarounds significantly impact services to the point that they aren't practical.
The majority of the vulnerabilities are the result of how Cisco's IOS software processes specially crafted packets or messages including Session Initiation Protocol (SIP) messages used in voice over IP (VoIP) services and IPv6 packets. These holes could enable malicious users to cause devices that process SIP messages to reboot or become unstable. By continually exploiting this behaviour, they could deny services to legitimate users.
For those who don't want to install the patch, Cisco suggests the disabling of SIP processing completely — an option that isn't viable for those providing VoIP services.
For customers who must run SIP on vulnerable devices, Cisco recommends applying mitigation techniques such as allowing only legitimate devices to connect to the vulnerable ones and applying measures to guard against spoofing.
Other vulnerabilities have to do with how the operating system handles IPv6 packets. Malformed IPv6 packets could cause devices to reboot. Admins looking for a quick fix will have to drop IPv6 support completely. Many providers are moving to IPv6 from IPv4 due to the last IPv4 addresses being assigned in February.
The Cisco IOS software's Intrusion Prevention System (IPS) was also found to be vulnerable to attack. IPS is a packet inspection feature built into IOS that is designed to mitigate a range of network attacks. However, when processing specially crafted HTTP packets, devices could hang or crash and there is no temporary workaround.
The company has released advisories detailing what devices are vulnerable, but it has not publicly disclosed the vulnerabilities themselves. It has restricted this information to its registered customers, presumably to limit any opportunistic exploitation and give administrators time to plan the upgrades to their systems. Cisco said it had not seen any examples of the vulnerabilities being exploited in the wild.
IOS has been plagued by vulnerabilities in the past, including ones that have allowed users to skip paying their internet access charges.