|
|
|
Cisco Comes Clean on Extent of IOS Flaw
By: Ryan Naraine
2005-07-29
Article Rating: / 0
There are 0 user comments on this Network Security & Hardware story.
Days after taking legal action to block a security researcher from discussing a flaw in its Internetwork Operating System, Cisco issues an advisory confirming the extent of the vulnerability.LAS VEGAS—Cisco Systems Inc. on Friday confirmed that a security hole in its Internetwork Operating System could be exploited by remote attackers to execute arbitrary code.
The routing and switching giants confirmation comes just days after details on the extent of the flaw were released at the Black Hat Briefings here by former Internet Security Systems Inc. researcher Michael Lynn.
Lynns dramatic presentation caused quite a stir and prompted Cisco and ISS to file an injunction and temporary restraining order to block the further dissemination of information on the IOS flaw.
 Click here to read about Ciscos attempt to keep Lynn from publicizing information about the flaw.
Cisco is now coming clean on the extent of the flaw, which carries a "high risk rating" and could cause much more than denial-of-service attacks on routers.
In an advisory Cisco said the IOS software contains a vulnerability in processing crafted IPv6 packets.
The company warned that an unauthenticated, external attacker that sends an IPv6 packet from a local network segment to an affected device can cause the device to reload or execute arbitrary code. Repeated exploitation may cause a sustained denial-of-service condition.
The vulnerability only affects devices that are configured to process IPv6 traffic.
"Crafted packets from the local segment received on logical interfaces (that is, tunnels including 6to4 tunnels) as well as physical interfaces can trigger this vulnerability. Crafted packets can not traverse a 6to4 tunnel and attack a box across the tunnel. The crafted packet must be sent from a local network segment to trigger the attack. This vulnerability can not be exploited one or more hops from the IOS device," the company explained.
Lynn defends his decision to reveal details of the IOS flaw. Click here to read more.
Due to the scope of the flaw, Cisco is encouraging network administrators to meet with their service provider or support organization to determine the most appropriate workaround for each affected network.
Administrators that do not require IPv6 processing can disable IPv6 on an affected device. Issuing both the "no ipv6 enable" and "no ipv6 address" command on each interface will accomplish this, the company said.
Administrators should also to upgrade to an unaffected version of Cisco IOS.
Software versions and appropriate fixes have been included in the Cisco advisory.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
|
|
�������x}v㶲s{��;xVKd[nkǶ-u;YZ� I)R|ļ5?18U�xӅlwLwb$�P*�
��vv~/IM��ל۔䧮9;y"I͝7o��-34r-GgRSrĠt� E34wݶN#gP'^ �`��l&R;?+�7
��A:�W[YHL~#?"�QYT4ID>��-ā�WP� u.jzRҏjF-_ ��յR�Ija�̳|�3�-i�*�H,GQD~1/NM㳣N��lL,/!�Z4
�V*^鮘FHwAբsyҽ59i�{H
ܹGtHM��W:w -N\mUV�/mz
��6�l
U���u�ô|W�{IM&�pt9&9IoDz|?!/ !}Ow|�nr2GrI/�\o,�ba(��30sj���2)�>-L9��oY@.@ө#еԛ7V4B=88u&T7o`�H�2��4 �]#w�� a4[#RFp &�\� ��a�C|dUa�l&XJp7�jJi_%�,|YB*�b�Z9nPWȨ�YSAeEI7CD� r43.�|!XsI��((�{�?�N�IR]E6\la>U<8z�6wܬ.�U$ԴXߙ-~ӒKsqnUŧvz߆)g��F8�,H�!e$�8WG9UGZ9UݓEʐTr*"� r/LL[ԑApl� u��tn�L�>(��mNRG}:)51�'5d}4>�AGA�ticš4Ϭ@7&��hC:}ҍ�LZ ��?
wGB��:,LAb߇@�&c`M?k�PC'�A�:\�TR}>49q�PhQP<�sz0Y@[Sh_�%jy7t(
u�4/f��O`\@9�pp�YY;90�@Yu�bsB�ݷ|�{��tև
*��QsnPB�fԁ.v9.Wb���A/�h��y"# D�EM�i�@(�P!$�5`��r�.��=�
�ŌP~ޑ�zZ.%r��P.o=!đt݁Z.?K3aGe�5n^
_�
23CEɴa���"Y�9�yDU�#�BU`B]ᛦBMa�m`DݘA,�TjTIkB{4��0C�d�p{4l` ��[X& ':�5$&.a*q�O\�g�4c�p6hBJe�w6q� '�JmX�,,iThjMMlbs01@�/��ŵa�a��8c*:tҝa|ie;m//�eKKZQ6Om��V ҇��D5)0ڠ�,��F�=}6:y�*�?MRT�I:&"_Gƅ�Kd�
9ЧmPܑk}6fD�6'# QZ�Z2y�8p=r�)©5j6|��j�0FBċ#כŊ0vQXewP~71�cXh�[!pYb~*��>FmdB
�[;$!U6:EE$>E�6a ��d1Ǿxo+<�CH�u�N�Db�����$>��\T`�t>*j*:WX60n) 54n*zvIMy�mh"`0�ˇ%M:�l��zԘ{hBQ�7ݏ�P1gxyd��.�3IZ+�k��*ZKjZ9��>熾_�2�OX�qD��L�hA�ui��ހ%l�JIF��G�:q~e(Dg8`&~)aj4X]�OCU�ޯy35
�)& LtP
Ȑ�h�GӾ+vpNP<)A�n<1j/���Y]Ѧ�Wh�x^�qlB!CEDExYrC<�ͤլp#o|5y-��mwn�)~�h9�m !j_sU-��(xUr?H_'pd(�&z&}^@�jZ9�ɈB/"+� g�z
k9L)Ӻ��5f
��Љ�r�7u`u<'XqLW/ASB�9��2���E;A#qD d���Ǝ|�@=A(�S^�s�0<](0��J[6a^4�YQ.��6ch
zT7DZ\/��s��v-�N�\s�υe�
(5�u�RV*"h\5@V �2ˁ;�_.3QX�z�GRUe@5eģT3%
y
$:-.wEZЊV�i&l�XMXo�rs5b drITܴ�j7/
v\vO�9ML4�M B �l�q_KᘃkLo9��-4j=rP9(�p�K��d3���8@X�y}�bS�衧,4Au�q0ݎ�s�/$ڎ�Vŵ]2eH�$V�Pq+Z@`NjV�%"< ;�(>dk�LGI^�&.2O>%WW\�5��q��ѿ$Ͽ�vn� >hl>*%M+t׀mj%WnG;a&�ra&�5��*�O�27\�'�*�Zl{%g%lUs^eXoo~py# dG"G~{!\w.K5?nV'˶lu�߽����4KC�ȃ��!zۭ�FS�Luk3d8)2Og~H13^3l&�t�ܗI��:�/�s:֒TzA[kɶj6ϐa6�F}m7Z�)Ί#�ºU�XHE`&.&�)TktZ�-���l�1@�+JFtzWOѱ�{mE
�h���bT� zE/b)%Q\(둞�OYI{D�"G0��(:{_ۡ;חo)J�!~_!c/Mp<"��m{pУJqkG='$CybS`Ӄ
�s;�гNҴ�v(���?$E��骺�@7db&u"J U5��Sz-ŧ
[O|^BB�a�J9a2q;Ik�vk�[��N SJ)���# Um$IjSf�k��C@$ğ_�Iv(+HdAzW�r��Ú�mfyWt.o]7�"�=�6[
.V�MG�_8_`w[D HY�)o-y�b}YGJ^KJpVKuVǼx�-N`1�$ѣ���i��9$g�P*�T���ۦN�+{tt�OY
bN~ؑqE�42Thix�sX6r=ahNх[e��YvU%3m�ԧ#�w1!h��=iѧ�ϼ� �ா��S ~]���J5rל8_In,⏦;-�GN'~.?@�6̯�{�$U
:t{D/�{uk*=+3ǣA���#'䂅�*ni
e%s�
Cߊ{)S^[qç}E��4r7tC/TR;I2ӱ$B�TU+h*ۻ�ʾEVeΜtٓNt9>2�X!�7Yu��(fh~Z:pKҠc�c}d�<ݸޮ;mC\�`l߫C�.},QFq>.�~)dR��ʷFE*]s\~Z�p;D�)8yȁqR�) y�b6kK`#j4GBa"Fc�ME]3ӧc1�Y#¿6#� Rf�;nN��O�a�|�0[؞qnbL��drOB%O�6÷kFp7�N
/f_�!σ�!%�JJ-�ץc6m�@|Ր۰ï�h]1y�`j}Z�$8\b��ulD[ேgɎ7e{cA1f̙�ʈ1_j
w]�KNW6o,)�� \�7?j{\nn�a_o�=�3VNbWg |db[\jbײT3Ke��3�b(*?�xlFn
\Q�-\nA%`-º���j >�u]��uPAfO#hb@D:$G&�!zӻe,�3`�L<�Afb��eݦ^0Ӆ3��+
.UU%"C 4tҞKi_t�/:��Q#sX.�&�f�yf=P5@^
]3H���!^ރcD�+�(�Y��Ƥ�XS2�Oi̎5R+ȯ7w5EJ*iy��ОO�br�(Pr{�
�.��j�3<:i:8�����2E�����b7!,Đ8DC�y
�Ttg�f܊vJ�NKΕ���`&-HE�Ea)ciBXJs(���6�CPt&�fs���-rmbQ)gL!�<�< �|d�y竘c^�S!^拊oE�
�ZܔB˯.zS��eD��}W/p0��R<^:u/U+� ?7�R!H@�$b$�&H߰
3nOQjeS<: zapj}#_�#_ĵM1��N}xRP?\=X #�\c3>$=��^�
�(CYOJac�-22ғ6Ȱtj0@�Y.r�A+XgH !7�X*[UҪhmpٽ}i8 a 5�`^����s�\�/-S;��w%]:|a6��o|B��˙�}e·_a/D0NB$���^qu{c9DT�G/Me7$5H��dLgs~�$G1,��<�=�8x遤�2]vH61x���aH���"{E�-3|v
)Z1u�܁jt�0e��sϜ�t�mӗn\6%�81o4T�BeE�T��wc$zm$y>^.!^ȉ!\]� o5�";eHKW.e1+�-��!}d;R�87\|
SǦV?{af��#> $g
zu-LD/T�mHע�]N"�/�03ƻ^�j��{{5$ׇ%����A�
pAz5�"b��4ȼ!TW ūt�:&K�!��vf��3d&,W}l[k\}M]YYYYYYYYYYXY�J붲FJuu�m��E2Ct�]{6,0>!A�� }o@݇��泀&ph֢��F �֒D(�&W#}_i8IFX2̭La enè;
J�puDp =AG/]� 7�}�X67u
Y+z�)�לViӢ}B53xB���V|!;zOHW:iwWʃO\�O_��dEi'٫��CYPm
MQ�ì�fl!ۿPmdɷȷQV^#Cm2Q�B�q߿ۉ.�"[ә��Կ �JI0OX�d\(�^C�8�j
u�-k�Vq=n��/d7/|�ݎpw1J���k)G>ş�;VZ�-�+NB,n�w /T5,X�&��?RaQ�QYݣ�\ۦw;ѝ`D�nt�Q�Y]�Pô-Y1�cW�F�=�%h�ٵe ,QG,]Es�NM?Ñ:ȩ-[�W��FX*�Y"*��Z�"�'"�KI�H�
]A<��?���X2r�ʡy3��z�K]�|u.95�͢E o�tM��c95W*�jvzr_hZRӂ,nw9�dop?�:g[cۨ��ges�0��j£/
�JD�(-~0�1
g '徬*F�^�sʣe\\+5Mj
jG@VTp =v�:6ȵF��ķ�v"�4TO`{=ב8ۮ祸�=/RVI{#?g���T`\�֔Mq-�?(BA�d�҃�
��|p|��3��c}_�
w-(zYtƇ#b�$p�k��{{n/1�~ۈ۫kF��>ΝN/0ڱ]w&-Sݽ<�HP�Y_yRmsΩ scQ%'eve��_`�yo˪ZM8+.��Nc�1q<�>3�KXM��3�ftzG,%F̯R�]�>U�➍7XComUK]|�3P]L�rUh%MF�hd�tk*4���S�cD�x�b1bF�զɝ$7a�zg =L�v�W�p+XyjJ~'КXl�t J �ݲY0G�<68v鈎A o'}^�z�C��6&�EeRW�5�GOw_
�6fVF�ZQ1G(ˆ=xI�i4B&3'?a���L�N�sCRY
醵`M�i$�b Ƀ"vFf.B�d0�A!�m
꜓M{ha�C�t(-$}w�:�mGT��bC7G�gaa� ߩ1q�?G�6$�EyE*�d�� wC�2&�1?�r]S>c�S(�;9Ĕ#M#ݭh|}S�"F�FTw.3OaH�9P-S�["0hR1��Q�?�cMN�s��XҚ0!<���\N~�}s=<ֆ��IQ!5b�i��*"��cs6#&lO�Ã6�'b|v��#@��
�l!�1�g�<[(�ȟP¿�J�'N&Je��I �d����7
C�!\��:z)%ln*7Wp>9W,m4�
l:Lmaw�w.Bt�ѧzи̏��-Ln
0~�Y
:yС5NG#ߛ�ꞿ�Sg0�H3غ9�Pq.5$LjG5Jc�B4_ �D�ŵ��k=a]?X/#~|aЇ�8�\
���]ZUP)u�!xW`ŪZN��P&OrYͬe+c�ǯ�]hiB�R.
��?h$-GF쌆}(d2}�jڟ�4\uuuvI^ۤw|ݹw}�YX�_ۣn՜ɧէes5O-�fbv>LU%o�Ik*5/(/�33_3ү!z}q�(ޅnF:Rz} झ~�O�?�y�� NyY95;'�оNF>ӹHw2s/ ?O?��ak^d�"��"�>"���\@/2�yA�@��BǬtnj}�}
d�d
Q
M�%:Iʘ g+\8r �esͣ�z)W@^d�?e�4#�3YE�zvA�X^eR5
ௗ�ߧ}oelڹ:$�BR+�+]Q%=-{�[M�2}ח:
e|*�,XW&���e�s hxVYd�Rd�
byXeÿ~VT�枔u�]�}R�M�j. {%])We[M'ji��kr(s3g�io{dZc+m��Ⱦw�WHD2�KA1_u��Q�!��?e�hĻ+L����ٞ܃�8*9��.n
%9����#p�75ir[~|^赏?\wk�Ҿl�Z36��GӠ[Y"��B8W�Ejn2h�s҇�ŁK�
�wMm�C�tuy92"�{.ipzx�ip,�7�G@`2� rB�r�Y`ԇ`ƥK0��F{18]�v͘>:
>��^;,Ơ}Q^�I���Hl7c@诿aXmt RVWBJČ$1Kԕ&�
-^��]~�P�w¾-�~��ӳNWmb-vaʦnG)\ׄ�_^���ێ�6pPp �pUp�} w`/&c�?I�w�ax�z<#z�ĥ`\Wv�BaI��r���c
�6Nz> /!0GTbg�HIاP_CD_�vB[P�|K b;94v�L9
H|\��k,#!1苄I�US�{k�͙*q8w ɰ\,AOd-:r�C�h�M;��"sB
sJ[,�\1S&�GsEz=�6vo,�"m�G��4
(�(z�1>�Aϐ�Th1{%��%|�Vi~jF߮eh#ə�W
B|X
�Y�8��T"?�zGmw1=��ļ�KlCt�wn�{Dj;cl%E�'��Ch��±eC�gA2D~{J=&*P�=gZ�;]�v,4%^z+ϒ֒{ƶ� ;C�$+#R�.ܐO�F�{_R�a�nio/y㲁E":} S
�wogTt�|!��?,ڎN-]_l܅eN�VhJ�m[)
O~l](Ck��O6X��}D�҂ �O1S�u Ѫ�r.9|�cx njx65Tч�ee}�nH�UƧj2{:��m9��n�(Z|�ӽGLi�ZQ�ڃtERb0��yNvCF}�_�2"�L�)L� �Ԧ?N�Sw�)+]�,1AƂ?�vL7ד69~gS�g _(L���/Wt�v�/-(G,�yJ^�Q.5�7tleb�@�J\�� D\)̰SE+�K�ea$Vi)$>a�n)ZF�$c-:ԭ8=�P0��h_~"S&v^i�ܔ�uF.Dm�T_�%2lˢ��
��O߶�3qݼg"ö,�ۿyX\h�FX�3#5c��gb@xV��=_q�x�F|�/�ؙ9:t�c)d̄�2 !yyUvҥ�N袸I,G`a^d++)ؐ�9s���k�0bO���1,,�oԛ'TS*|J>��T.>ϝn<^eY;/5b7pP�9- ha�0�+�>+g5�sq7C'
C�a+g~,�m!�#�{ς �|j}�X *XC *F" ţ�8ZL+bB�#ىZsR.)C39=I� }�ɦ|nԌnBzd��v��L$3�k��O�K~!t�� �frs*]x�7[Nb���;9Ȋ�]D٣uo-+}viS#QFd7~{P x��wꐀ�Aw�0\.{�x(�b�i=|i~be�E�`D�7�bY(�L���)�X�~�ax8�2�&ϏpF:>2��1L do�*�xs(G�E�Sb|iSDmubu���f`7_cρw1P�y�%
\x,�c_ �ZhI~*` Zu�ب`�;(�VF({з`9<��%;sfHJW3(3R}TJ
:PUO���d�H;YaAg3k(�cK�ZlXH�f;v}�c�aI8(~y�WJUS?h\"$slImQ4X�k V�/UӍ��2=R�@�cC�SZ�~=�a0;%6r�i~\
�Rw·BM,��!�+�5��p;sNLכo0�/RkW�Ϡ�ط�c��3Y|jj~�pe8*�F~GTx�7Y¥wyٽnu]^_\ ���f�{�*X�X;xlx:,��ԶCe����H�4!d�+"�pz=N 6�-�>J!Z嶑��$x9cx@_/ Ba�у&�2�_eXx�0ћw! D/]G9g���[�6?�X%<�>[ɏ?�~�?|9{tڤ�jy?�]��>PS�u��4Mڲ��%xq��im�{\b]�j�]�wi:֏r����?z#\�(�ĀԠ���z�Ӎޑ<0G��,Y}|��n7cl�6ʈY�Tn,U�a:
@I^-1
u脐CEd:1am�X4ݡ@}ȧ`X�.vϱ9�
N.v?*HcAvߎ��]ρؘ�ኸc�'6DwD��&)B88X}x|8ׇ>z��YY"(hTp��pZN��B�Y'= *,сkLdB[v�� cO֞.)��G"j$4'n[#(o�o!Y!7F��\�Ca�0��=iM�jC��!Խ(Lm{\?e!"'�y7�_�`lc[$0Mmwy^eE2JRu�F.�ĝ/�A0�Z*�2��1F3���pn<*Kw�Tnv1q0>
[��4P9,'s�{쨭&C��qd̬;r= @'ݴdg;bHFT{�V@�Z@}�+ᰈ[#��pB�qp�1�ְ\/B,�ۮOs+(+4FuF�Ae/�CAזL<ʮLCV��
-h}:o0
Y�N}u9t(p14%x\0W=.>�vK|"�+R-qM"{>L;TG_w?\HaF�i�ӽ>iA0�OXI}2#ނ�b̚&z�c,�6��w%_��=�Y3BUhD4���߷�[16���>ZrjE[6CDlo�7k0�mľ^n:%s|P�r��II൙mTN$ѻN}�D�Oeh��V.ކe/ao?/_�/A��
|
Network Security & Hardware 
