Cisco Reports Multiple Security Problems

By Larry Seltzer  |  Posted 2004-08-27 Print this article Print

Three advisories from the company describe bugs involving denial-of-service issues and some authentication errors.

Cisco over the past week has announced a series of vulnerabilities in multiple products. Most are denial-of-service issues, while two additional problems could allow improper authentication. The advisory, "Cisco Telnet Denial of Service Vulnerability," describes a potential denial of new connections on a series of network services, specifically "telnet, reverse telnet, RSH [Remote Shell], SSH [Secure Shell], and in some cases HTTP [Hypertext Transport Protocol]" on devices running Ciscos IOS operating system.

The condition is caused by a specially crafted TCP connection to the device using telnet or reverse telnet. Only new connections are affected. Existing communications over the affected protocols, as well as other services, are not affected. Secunia rates the vulnerability as "less critical."

Cisco has not yet provided fixes or updated versions for this problem.

The second advisory, describing "Multiple Vulnerabilities in Cisco Secure Access Control Server," is also rated by Secunia as "less critical." Ciscos ACS (Access Control Server) products "provide authentication, authorization and accounting [AAA] services to network devices." Cisco Secure ACS for Unix is not affected.

The advisory describes five bugs affecting different versions of the products. Three of the bugs involve denial-of-service attacks. A TCP connection flood against the Web-based management interface on port 2002 could lead to a denial of service for new connections on that port and instability in other authentication services on the device. Another denial of service comes from a crash of the ACS when it is configured as a LEAP (Light Extensible Authentication Protocol) RADIUS Proxy. A reboot is required to clear these errors.

For insights on security coverage around the Web, check out Security Center Editor Larry Seltzers Weblog. The advisory also describes a security policy error when ACS is authenticating against an external NDS (Novell Directory Services) database. If the NDS allows anonymous bind, and if the ACS uses NDS and not Generic LDAP for authentication, then users can authenticate against the database with blank passwords. An attacker also could gain connection to the management GUI on the device if they spoof the IP address of a user computer connected to it and guess a random IP address used by the browser and management interface.

Fixes and updated versions are available for all of the bugs. See the advisory page for more details.

The final advisory, "Cisco IOS Malformed OSPF Packet Causes Reload," describes a denial-of-service bug in support for OSPF (Open Shortest Path First) in some versions of IOS devices. A malformed OSPF packet can cause the device to reset, potentially taking several minutes to regain functionality. This bug is also rated by Secunia as "less critical."

The bug can be remotely exploited and can be made to target all devices on a local segment. OSPF is not enabled by default, and Cisco describes workarounds to address the issue and has also provided free software to address this vulnerability.

Check out eWEEK.coms Security Center at for security news, views and analysis.

Be sure to add our security news feed to your RSS newsreader or My Yahoo page:  

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel