Cisco Warns of DoS Danger for Switch Users

Cisco Systems Inc. this week warned that a pair of software security flaws could leave its switches open to denial-of-service attacks.

The San Jose, Calif., company issued a security advisory for its Cisco Firewall Services Module (FWSM) for the companys Catalyst 6500 Series and 7600 Series switches. The advisory noted that two vulnerabilities could result in DoS attacks on affected systems.

The first is an HTTP-authentication flaw. According to Cisco, “The Cisco FWSM may crash and reload due to a buffer overflow vulnerability while processing HTTP traffic requests for authentication using TACACS+ or RADIUS.

“This request is initiated when a user starting a connection via FTP, Telnet, or over the World Wide Web (HTTP) is prompted for their user name and password. If the user name and password are verified by the designated TACACS+ or RADIUS authentication server, the Cisco FWSM will allow further traffic between the authentication server and the connection to interact independently through the Cisco FWSMs cut-through proxy feature.”

The second occurs when the FWSM receives and processes an SNMPv3 message “when snmp-server host or snmp-server host poll is configured on the Cisco FWSM.” This results in the FWSM crashing and reloading. The company noted that this vulnerability exists even though the FWSM does not support SNMPv3. One suggestion is for the FWSM to be configured to generate and send traps using only the snmp-server host trap command.

The Cisco advisory suggests two workarounds: to restrict polling access to the SNMP server to trusted interfaces and hosts, and to disable the SNMP server on the FWSM entirely.

Cisco is offering free software updates that it said address these problems.

The company has also posted the contents of the entire advisory online.