Cisco fixes denial-of-service vulnerabilities in IOS



Cisco have this week released critical security patches for their IOS software used on routers, switches and other networking equipment. 7 vulnerabilities had been identified in the networking giants IOS software that attackers could utilise to force a reboot of components and a loss of availability.

Cisco have released newer IOS versions that fix the bug, patching two major vulnerabilities discovered in the Network Address Translation (NAT) feature, mainly utilised by routers. These vulnerabilities were being exploited by attackers on a regular basis,  sending malicious DNS packets that would be processed and translated by the vulnerable device. The other vulnerability focused on sending specific sequences of TCP packets to affected IOS devices that would also lead to a compromise.

NAT is a feature that is enabled in most modern day routers, however, users can check whether this feature is enabled and necessary by consulting the device and issuing the “show ip nat statistics” command. The response issued by the device will determine whether NAT is active as the sections ‘outside interfaces’ and ‘inside interfaces’ will each specify at least one interface.

Cisco released an advisory on Wednesday detailing the vulnerability, which can be read here. It is recommended that organisations and individuals that utilise Cisco kit in their networks reference the advisory, which details vulnerable IOS versions and relevant patches. It should be noted that Cisco IOS XR/XE are not vulnerable to these exploits.

A further vulnerability has also been noted in the IPv6 protocol stack in Cisco IOS XE software. Maliciously formed IPv6 packets could exploit this vulnerability to present an input/output depletion. If exploited, this vulnerability could also cause the device to reboot, causing a loss of availability and denial of service for the affected organisation. Cisco released a further number of updates to mitigate a risk in the IOS Internet Key Exchange Version 2 (IKEx2) module. Again, a malformed packet can exploit this vulnerability, causing the device to reload.

Secure Sockets Layer (SSL) Virtual Private Network (VPN) subsystems were also found to be vulnerable in the Cisco software. Malformed HTTPS packets submitted to the device could cause this vulnerability to be exploited by overloading the memory on the device. This would result in a memory overload affecting performance, or causing a crash/restart. Users can determine whether or not their devices are vulnerable to this by executing the ‘show webvpn gateway’ EXEC command on the affected device. The device will be vulnerable if the software is being run and the config lists the Admin and Operation status’ of configured gateways as up.

An additional vulnerability had been discovered in the Session Initiation Protocol (SIP) in Cisco IOS/XE. SIP is a protocol that is commonly used for voice and video calls over the Internet, for example, via Skype. Cisco had released a further advisory, detailing this vulnerability further. It is recommended that organisations review their Cisco IOS components and refer to the advisory.

Cisco have released several advisories listing these vulnerabilities, along with affected versions and recommendations from the vendor. Organisations, and individuals, running Cisco kit are strongly recommended to check their kit using the above commands and refer to the advisories to identify mitigating controls they can put in place to reduce the risk of compromise via these vulnerabilities.

About Lee Hazell

Lee Hazell is a cyber security consultant with a keen interest in anything tech or security related. Follow Lee on .

Leave a Reply

Your email address will not be published. Required fields are marked *