Feeds

Protocol switch security risk in Cisco IOS

Cute, but far from devastating

  • alert
  • submit to reddit

Choosing a cloud hosting partner with confidence

Don't hold the front page: a vulnerability in a Cisco security software package for routers has been discovered - but the risk is moderate.

In a security notice issued today, Cisco said its IOS Firewall Feature Set (also known as Context Based Access Control [CBAC]), has a vulnerability which permits traffic to flow when it should be blocked by dynamic access control lists.

When Cisco's Firewall Feature Set software builds up a table of connections it has "allowed", it forgets to check the protocol type on subsequent connections. So, for example, if you allow UDP port 514 (syslog) through, you also permit TCP port 514 (rsh) through.

A Cisco customer discovered the bug but the networking giant is not aware of any malicious exploitation of the problem.

Russ Spooner, a security consultant at network security specialists Interrorem, described the vulnerability as "cute", but far from devastating.

"I can see a scenario where a Trojan could be used to trick a victim to opening a large number of UDP connections with a malicious host, which might permit the malicious host to back connect using TCP," said Spooner. But there are easier ways to control Trojans and an attacker would still need to plant malicious code on a victim's network.

Roy Hills, testing development director at security consultants NTA Monitor, said: "In my experience, very few people actually use Cisco Firewall Feature Set as a firewall, even though it is sometimes sold as such. The only people that I know who use this firewalling feature use it in conjunction with another firewall."

Confusingly the problem doesn't apply to Cisco PIX Firewall product, only a security component of its IOS software, which runs on routers and switches.

No immediate workaround for the problem is available but Cisco has produced a schedule for updating its Cisco IOS software, within an advisory that explains the issue in much greater technical depth. ®

Related stories

SSH hits the fan for Cisco on security
Multiple flaws in Cisco router software exposed
Cisco routers vulnerable to easy attack
Defending against SYN-flood DoS attacks
DoS attacks getting scary, CERT warns

External links

Cisco's advisory which, if anything, implies the problem is more serious than it really is

Beginner's guide to SSL certificates

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.