Protocol switch security risk in Cisco IOS
Cute, but far from devastating
Don't hold the front page: a vulnerability in a Cisco security software package for routers has been discovered - but the risk is moderate.
In a security notice issued today, Cisco said its IOS Firewall Feature Set (also known as Context Based Access Control [CBAC]), has a vulnerability which permits traffic to flow when it should be blocked by dynamic access control lists.
When Cisco's Firewall Feature Set software builds up a table of connections it has "allowed", it forgets to check the protocol type on subsequent connections. So, for example, if you allow UDP port 514 (syslog) through, you also permit TCP port 514 (rsh) through.
A Cisco customer discovered the bug but the networking giant is not aware of any malicious exploitation of the problem.
Russ Spooner, a security consultant at network security specialists Interrorem, described the vulnerability as "cute", but far from devastating.
"I can see a scenario where a Trojan could be used to trick a victim to opening a large number of UDP connections with a malicious host, which might permit the malicious host to back connect using TCP," said Spooner. But there are easier ways to control Trojans and an attacker would still need to plant malicious code on a victim's network.
Roy Hills, testing development director at security consultants NTA Monitor, said: "In my experience, very few people actually use Cisco Firewall Feature Set as a firewall, even though it is sometimes sold as such. The only people that I know who use this firewalling feature use it in conjunction with another firewall."
Confusingly the problem doesn't apply to Cisco PIX Firewall product, only a security component of its IOS software, which runs on routers and switches.
No immediate workaround for the problem is available but Cisco has produced a schedule for updating its Cisco IOS software, within an advisory that explains the issue in much greater technical depth. ®
SSH hits the fan for Cisco on security
Multiple flaws in Cisco router software exposed
Cisco routers vulnerable to easy attack
Defending against SYN-flood DoS attacks
DoS attacks getting scary, CERT warns