Cisco patches security flaws in number of products

Updates address vulnerabilities in products ranging from Cisco Unified CallManager to Cisco Firewall Service Module.
Written by Dawn Kawamoto, Contributor
Cisco Systems has released a security patch to fix vulnerabilities in a number of its products that are at risk of a denial of service attack.

The vulnerabilities are found in a third-party cryptographic library in Cisco IOS, Cisco IOS XR, Cisco PIX and ASA Security Appliances, Cisco Firewall Module and Cisco Unified CallManager products, according to a security advisory issued by Cisco.

The security flaws could allow attackers to send a few small packets through the routers to shut down the network in a DOS attack, said Johannes Ullrich, chief research officer for the Sans Institute, which issued a security notice Wednesday.

"In most DOS attacks, you just send more traffic than the network can handle. But in this case, the attacker only has to send a few packets," Ullrich said. "That takes up less of their bandwidth and makes it very easy to resend these packets again and again."

The vulnerabilities can be exploited without a valid username or password, given some of the older Cisco products have the cryptographic library set to default. And while attackers may be able to launch a DOS attack, they are not known to gain access to information that has already been encrypted, Cisco noted.

In its advisory, Cisco includes various links for downloading fixes, as well as offering suggestions for potential workarounds.

Although the vulnerabilities affect a wide range of Cisco products, no exploits have yet surfaced, Ullrich noted.

Cisco has issued several security advisories this year involving its routers. In January, the networking giant warned that it had found three security flaws in its software that operates its routers and switches. And in February, Cisco alerted users that its intrusion prevention technology in its routers could be susceptible to an attack, due to vulnerabilities in its key operating system.

Editorial standards