Feeds

Protocol switch security risk in Cisco IOS

Cute, but far from devastating

  • alert
  • submit to reddit

Secure remote control for conventional and virtual desktops

Don't hold the front page: a vulnerability in a Cisco security software package for routers has been discovered - but the risk is moderate.

In a security notice issued today, Cisco said its IOS Firewall Feature Set (also known as Context Based Access Control [CBAC]), has a vulnerability which permits traffic to flow when it should be blocked by dynamic access control lists.

When Cisco's Firewall Feature Set software builds up a table of connections it has "allowed", it forgets to check the protocol type on subsequent connections. So, for example, if you allow UDP port 514 (syslog) through, you also permit TCP port 514 (rsh) through.

A Cisco customer discovered the bug but the networking giant is not aware of any malicious exploitation of the problem.

Russ Spooner, a security consultant at network security specialists Interrorem, described the vulnerability as "cute", but far from devastating.

"I can see a scenario where a Trojan could be used to trick a victim to opening a large number of UDP connections with a malicious host, which might permit the malicious host to back connect using TCP," said Spooner. But there are easier ways to control Trojans and an attacker would still need to plant malicious code on a victim's network.

Roy Hills, testing development director at security consultants NTA Monitor, said: "In my experience, very few people actually use Cisco Firewall Feature Set as a firewall, even though it is sometimes sold as such. The only people that I know who use this firewalling feature use it in conjunction with another firewall."

Confusingly the problem doesn't apply to Cisco PIX Firewall product, only a security component of its IOS software, which runs on routers and switches.

No immediate workaround for the problem is available but Cisco has produced a schedule for updating its Cisco IOS software, within an advisory that explains the issue in much greater technical depth. ®

Related stories

SSH hits the fan for Cisco on security
Multiple flaws in Cisco router software exposed
Cisco routers vulnerable to easy attack
Defending against SYN-flood DoS attacks
DoS attacks getting scary, CERT warns

External links

Cisco's advisory which, if anything, implies the problem is more serious than it really is

Secure remote control for conventional and virtual desktops

More from The Register

next story
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Driving business with continuous operational intelligence
Introducing an innovative approach offered by ExtraHop for producing continuous operational intelligence.
5 critical considerations for enterprise cloud backup
Key considerations when evaluating cloud backup solutions to ensure adequate protection security and availability of enterprise data.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?