Cisco Comes Clean on Extent of IOS Flaw

Days after taking legal action to block a security researcher from discussing a flaw in its Internetwork Operating System, Cisco issues an advisory confirming the extent of the vulnerability.

LAS VEGAS—Cisco Systems Inc. on Friday confirmed that a security hole in its Internetwork Operating System could be exploited by remote attackers to execute arbitrary code.

The routing and switching giants confirmation comes just days after details on the extent of the flaw were released at the Black Hat Briefings here by former Internet Security Systems Inc. researcher Michael Lynn.

Lynns dramatic presentation caused quite a stir and prompted Cisco and ISS to file an injunction and temporary restraining order to block the further dissemination of information on the IOS flaw.

/zimages/1/28571.gifClick here to read about Ciscos attempt to keep Lynn from publicizing information about the flaw.

Cisco is now coming clean on the extent of the flaw, which carries a "high risk rating" and could cause much more than denial-of-service attacks on routers.

In an advisory Cisco said the IOS software contains a vulnerability in processing crafted IPv6 packets.

The company warned that an unauthenticated, external attacker that sends an IPv6 packet from a local network segment to an affected device can cause the device to reload or execute arbitrary code. Repeated exploitation may cause a sustained denial-of-service condition.

The vulnerability only affects devices that are configured to process IPv6 traffic.

"Crafted packets from the local segment received on logical interfaces (that is, tunnels including 6to4 tunnels) as well as physical interfaces can trigger this vulnerability. Crafted packets can not traverse a 6to4 tunnel and attack a box across the tunnel. The crafted packet must be sent from a local network segment to trigger the attack. This vulnerability can not be exploited one or more hops from the IOS device," the company explained.

/zimages/1/28571.gifLynn defends his decision to reveal details of the IOS flaw. Click here to read more.

Due to the scope of the flaw, Cisco is encouraging network administrators to meet with their service provider or support organization to determine the most appropriate workaround for each affected network.

Administrators that do not require IPv6 processing can disable IPv6 on an affected device. Issuing both the "no ipv6 enable" and "no ipv6 address" command on each interface will accomplish this, the company said.

Administrators should also to upgrade to an unaffected version of Cisco IOS.

Software versions and appropriate fixes have been included in the Cisco advisory.

/zimages/1/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.