Cisco patches three-year-old remote code-execution hole
Patch or kill Telnet
A three-year-old dangerous remote code execution hole affecting Cisco kit has been patched.
Researcher Glafkos Charalambous discovered the Telnet vulnerability (CVE-2011-4862), which was first reported by the FreeBSD Project in 2011. It was left unpatched up prior to 15 October this year in Cisco appliances.
The International Business Schools IT manager found the bug in the AsyncOS software in all versions of Cisco's web, email and content security management appliances.
Cisco warned customers were open to arbitrary code execution if they enabled telnet on those devices.
"A vulnerability in telnet code of Cisco AsyncOS could allow an unauthenticated, remote attacker to execute arbitrary code on the affected system," Cisco wrote in a revised advisory.
"The vulnerability is due to insufficient boundary checks when processing telnet encryption keys.
"An unauthenticated, remote attacker could exploit this vulnerability by sending malicious requests to a targeted system [and] execute arbitrary code on the system with elevated privileges."
It scored the vulnerability a base score of 10 due to its ease of exploitation and highly damaging impact.
Cisco included information on the impact on IronPort systems in 2012 and has detailed some workaround alternatives for those unable to patch quickly. ®