Cisco Patches Black Hat IOS Flaw

Three months after Michael Lynn's controversial presentation of exploit shellcode in Cisco IOS, the company finally posts a comprehensive fix for the code execution flaw.

Cisco Systems Inc. has finally issued a comprehensive fix for a critical IOS vulnerability that set off a firestorm of controversy at the Black Hat Briefings earlier this year.

The routing and switching giants patches come more than three months after former Internet Security Systems Inc. researcher Michael Lynn quit his job to present the first-ever example of exploit shellcode in Cisco IOS (Internetwork Operating System), a presentation that landed him in legal hot water.

In an advisory published late Wednesday, Cisco confirmed Lynns summer warning that the flaw could be exploited by remote attackers to execute arbitrary commands or cause a denial-of-service on compromised routers.

Cisco described the vulnerability as an error in the internal timers that may execute arbitrary code from portions of memory that have been overwritten through attack vectors such as specific heap-based overflows.

The company said it is not aware of malicious attacks against the security hole but warned that exploit code used during Lynns Black Hat demonstration is publicly available.

/zimages/6/28571.gifCiscos attempt to quash vulnerability talk at Black Hat failed. Click here to read more.

"In many cases, a heap-based overflow in Cisco IOS will simply corrupt system memory and trigger a system reload when detected by the "Check Heaps" process, which constantly monitors for such memory corruption. In a successful attack against an appropriate heap-based overflow, it is possible to achieve code execution without the device crashing immediately," the company warned.

With the patches, Cisco has added "countermeasures" by implementing extra checks to enforce the proper integrity of system timers. "This extra validation should reduce the possibility of heap-based overflow attack vectors achieving remote code execution," the company explained.

Successful exploitations of heap-based buffer overflows in Cisco IOS software typically only causes the router to crash and reload due to inconsistencies in running memory. "In some cases it is possible to overwrite areas of system memory and execute arbitrary code from those locations. In the event of successful remote code execution, device integrity will have been completely compromised," Cisco added.

/zimages/6/28571.gifClick here to read more about Ciscos suit.

Immediately after the Black Hat brouhaha, which led to a lawsuit against Lynn and the organizers of the conference, Cisco released a patch for an IOS vulnerability in processing crafted IPv6 packets, but a comprehensive fix was delayed while the company continued to research Lynns findings.

Products affected by the heap overflow issue include Cisco IOS 12.0 through 12.4.

The company urged customers to upgrade to patched IOS versions.

/zimages/6/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.