Cisco patches DoS vuln pair in IOS
No exploit spotted
Regcast training : Hyper-V 3.0, VM high availability and disaster recovery
Cisco has issued a pair of updates today patching two remote denial of service vulnerabilities affecting certain devices running its Internetwork Operating System (IOS).
The vulnerabilities are limited to kit running Cisco IOS software with support for four-octet Autonomous Systems number space (AKA: 4-byte AS number) and Border Gateway Protocal (BGP) routing configured. Attackers could use the exploits for repeated reloading of the device causing an extended denial of service blockage.
The security holes were confirmed in Cisco IOS and Cisco IOS XE with support for RFC4893.
The first vulnerability may cause an affected device to crash with memory corruption, but requires three conditions:
- Cisco IOS Software device is a 4-byte AS number BGP speaker
- BGP peering neighbor is a 2-byte AS number BGP speaker
- BGP peering neighbor is capable of sending a BGP update with a series of greater than one thousand AS numbers
If an affected 4-byte AS number BGP speaker receives a BGP update from a 2-byte AS number BGP speaker containing AS path segments of more than one thousand autonomous systems, the device may crash with memory corruption and spit out the error "%%Software-forced reload."
Cisco says there is no workarounds on the affected device, but neighbors could be configured to discard routes that have more than one thousand AS numbers in the AS-path segment.
The second vulnerability could cause a device to reload when it processes a malformed BGP update that has been designed to trigger the issue.
This security hole requires three conditions as well:
- Cisco IOS Software device is a 4-byte AS number BGP speaker
- BGP peering neighbor is a 2-byte AS number BGP speaker
- BGP peering neighbor is capable of sending a non-RFC complaint malicious BGP update message.
Cisco says configuring "bgp maxas-limited [value]" on the affected device will mitigate the vulnerability. The company suggests using a lowball value of 100 to best avoid the problem.
Updates have been issued to stop the vulnerabilities, and of course users are advised to update to the fixed version. Cisco said its not aware of anyone maliciously exploiting the security flaws, although some customers have accidentally triggered the first vulnerability within their infrastructures.
Additional details are available on the security notice here. ®
COMMENTS
IOS Upgrade
It's pretty easy to say one should upgrade to the non-flawed IOS, but it's much tougher to actually do it...especially in a large enterprise. IOS roll-out to a network of a few thousand, or even a few hundred, devices might take months to complete. And the roll-out wouldn't start until after the QA team shook it out for a while in the lab. Let's face it, IOS upgrades to plug a relatively esoteric security exposure fall way down the priority list of most companies. They've got far too many Microsoft patches to apply to the desktops and servers without regularly disrupting the networks in between. Live with the IOS bugs and holes until there's a compelling (feature) reason to upgrade.
IT infrastructure monitoring strategies
Agentless Backup is Not a Myth
Top 10 SIEM implementer’s checklist
Steps to Take Before Choosing a Business Continuity Partner
Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider
