Home & Office

US Report: Software bug hits Cisco

A software error has been uncovered that compromises the security of certain products made by Cisco Systems Inc.
Written by Charles Cooper, Contributor

The bug -- which affects the company's networking software -- allows unauthenticated users to penetrate logins for routers and other Cisco IOS (Internetworking Operating System) devices. That, in turn, can open the door for hackers to read information entered by prior users of the devices -- including passwords.

However, Cisco says the danger is limited: The only information likely to get exposed would be at the prompt of the IOS device, and any data that gets forwarded would not be exposed. The problem affects devices running Cisco IOS software, including most, but not all, Cisco router products, according to Cisco. The company says the glitch affects versions 9.1 and later of its IOS software.

"This is certainly cause for concern," said John Bashinski, a spokesman for Cisco. "We want to see people upgrade if they can reasonably do so. This potentially gives away a password. Obviously, that's something you don't want to give away."

The opening would let hackers -- who would only need to establish a terminal connection -- to reproduce "nearly complete lines, and fragments tens of characters long," according to a document posted on Cisco's Web site.

Bashinski said Cisco has issued fixes that can be downloaded from the company's Web site. He declined to gauge the severity of the problem -- which he described as a "vulnerability caused by a bug" -- but suggested that customers download the fix. "If it was in my network, I would look at upgrading," he said. "I wouldn't panic."

Analysts also weren't panicked, though they also weren't advising complacence. "It would be potentially a disaster if such a security breach were to take place," said Craig Mathias, president of Farpoint Group in the US. This is only the latest instance of an Internet-related product found to be vulnerable because of a software glitch. In recent months, at least one other Cisco bug has been discovered, as well as bugs that compromise Internet browsers made by both Microsoft and Netscape.

Mathias said the bugs can't be avoided. "All software has bugs, and the bigger the software gets, the more bugs it has."

"The underlying significance here is we have more and more people looking at ways to get into and get access to systems that are critical to the Internet," said Rob Enderle, an analyst at Giga Information Group, who expressed doubt in the ability of vendors to consistently produce glitch-proof products.

"There's just too much change going on," he said. "The technology is going to have to stabilise for a while until much heavier security can be wrapped around a more simplified structure. What we're waiting for is a major disaster. That's what it'll take to get us to a more secure environment."

Editorial standards