Cisco over the past week has announced a series of vulnerabilities in multiple products. Most are denial-of-service issues, while two additional problems could allow improper authentication.
The advisory, “Cisco Telnet Denial of Service Vulnerability,” describes a potential denial of new connections on a series of network services, specifically “telnet, reverse telnet, RSH [Remote Shell], SSH [Secure Shell], and in some cases HTTP [Hypertext Transport Protocol]” on devices running Ciscos IOS operating system.
The condition is caused by a specially crafted TCP connection to the device using telnet or reverse telnet. Only new connections are affected. Existing communications over the affected protocols, as well as other services, are not affected. Secunia rates the vulnerability as “less critical.”
Cisco has not yet provided fixes or updated versions for this problem.
The second advisory, describing “Multiple Vulnerabilities in Cisco Secure Access Control Server,” is also rated by Secunia as “less critical.”
Ciscos ACS (Access Control Server) products “provide authentication, authorization and accounting [AAA] services to network devices.” Cisco Secure ACS for Unix is not affected.
The advisory describes five bugs affecting different versions of the products. Three of the bugs involve denial-of-service attacks. A TCP connection flood against the Web-based management interface on port 2002 could lead to a denial of service for new connections on that port and instability in other authentication services on the device.
Another denial of service comes from a crash of the ACS when it is configured as a LEAP (Light Extensible Authentication Protocol) RADIUS Proxy. A reboot is required to clear these errors.
The advisory also describes a security policy error when ACS is authenticating against an external NDS (Novell Directory Services) database. If the NDS allows anonymous bind, and if the ACS uses NDS and not Generic LDAP for authentication, then users can authenticate against the database with blank passwords. An attacker also could gain connection to the management GUI on the device if they spoof the IP address of a user computer connected to it and guess a random IP address used by the browser and management interface.
Fixes and updated versions are available for all of the bugs. See the advisory page for more details.
The final advisory, “Cisco IOS Malformed OSPF Packet Causes Reload,” describes a denial-of-service bug in support for OSPF (Open Shortest Path First) in some versions of IOS devices.
A malformed OSPF packet can cause the device to reset, potentially taking several minutes to regain functionality. This bug is also rated by Secunia as “less critical.”
The bug can be remotely exploited and can be made to target all devices on a local segment. OSPF is not enabled by default, and Cisco describes workarounds to address the issue and has also provided free software to address this vulnerability.
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page: