Cisco released three security advisories on Wednesday designed to fix multiple vulnerabilities in its core Internetwork Operating System Software (IOS).

Worst of the trio is a "Crafted IP Option" vulnerability that creates a potential means for hackers to load hostile code onto a range of Cisco routers and switches running IOS. Attacks would have worked by sending certain ICMP, PIMv2, PGM or URD packets with a specific IP option set to a Cisco device, thereby causing the hardware to either crash or load in such a way that arbitrary code is executed. The flaw applies to most of the code base of IOS 12.0, 12.1 and 12.2.

Cisco Security Advisories and vulnerability notes provided information on patching and possible workarounds to address the flaws. Sys admins are strongly advised to review these detailed bulletins. More easily-digestible information is available in summaries from the Internet Storm Centre (here) and US CERT (here).®

Related stories

• Cisco to get API-happy (17 December 2007)
• Experts scramble to quash IPv6 flaw (11 May 2007)
• Cisco wireless products suffer multiple vulns (13 April 2007)
• Cisco buys into social networking (9 February 2007)
• Cisco pulls its security together (6 February 2007)
• Cisco goes power-crazy (31 January 2007)
• Cisco plugs IP telephony and router security holes (19 January 2006)
• Cisco's 'Black Hat' nemesis joins Juniper (8 November 2005)
• Cisco protects routers against 'Black Hat' bug (3 November 2005)
• Cisco warns over serious authentication bug (8 September 2005)
• Cisco adds 'self-healing' tech to Cat 6500 (31 August 2005)
• Analysis OS exploits are 'old hat' (8 August 2005)
• Cisco security flap leaves millions scrambling for help (3 August 2005)
• Cisco portal password security compromised (3 August 2005)
• Cisco source code theft part of 'mega-hack' (10 May 2005)
• Cisco goes virtual with monster router (19 April 2005)