Ciscos Fix: Too Many Holes in IOS

Opinion: Cisco's spotty IOS router operating system has made for a cruel summer as the networking giant scrambles to fix vulnerabilities.

Cisco has had a summer just chock-full of security problems in many of its products.

Keeping up the tradition of the "annus horribilis," the company just this week had to reveal a problem in one of its core products that the French Security Incidence Response Team has labeled as "critical."

The problem is with Ciscos IOS router operating system, used in many of its core routing products. It involves the authentication system for FTP and telnet connections.

The vulnerability could allow attackers to take over or repeatedly crash devices running the operating system.

More specifically, it is the IOS Firewall Authentication Proxy for FTP and/or Telnet Sessions that is the problem.

This proxy allows system administrators to set security profiles for individual users logging on to network services via FTP or telnet.

If someone remotely creates a TCP connection to an affected IOS device, a buffer overflow could be created by that remote user.

Cisco said in its advisory that such an exploit could allow for the remote execution of code specified by the remote user, or cause the router to crash and reload itself.

According to Cisco, the problem that afflicted versions of IOS include IOS 12.2ZH, IOS 12.2ZL, IOS 12.3, IOS 12.3T, IOS 12.4 and IOS 12.4T.

IOS versions that have been confirmed by Cisco not to be vulnerable include IOS XR and IOS versions 12.2 and earlier, including 12.0S.

/zimages/5/28571.gifTo read more about Ciscos vulnerable Web routers, click here.

It also seems that specific devices wont be affected by the problem if they dont have the Firewall Authentication Proxy for FTP and/or Telnet configured.

This implies that system administrators can get around the problem by deploying authentication services for HTTP and HTTPS.

This method should most likely be used only as a band-aid alternative to running an unpatched (and known vulnerable) IOS.

Since the patches are freely available, it would behoove admins to check them out and see if they can be integrated into you code train.

There are other workarounds (like disabling the entire Proxy Authentication feature) that have been posted by Cisco at the URL above, but their use must be dependent on a users specific setup as to whether or not they will be effective in solving the problem by becoming a transparent workaround.

For instance, Cisco suggests that "the Control Plane Policy (CoPP) feature can be used to mitigate the effects of this vulnerability by only allowing trusted hosts to attempt connections through the auth-proxy router."

The company also suggests that "Care must be taken to ensure that legitimate management connections to the auth-proxy router itself are not dropped by the CoPP policy."

CoPP is available only in IOS release trains 12.0S, 12.2S and 12.3T.

There are other detailed suggestions for problem mitigation in the Cisco advisory, but they once again will depend on your specific network setup.

Larry Loeb was consulting editor for BYTE magazine and senior editor of WebWeek. He serves as a subject matter expert for the Department of Defenses Information Assurance Technology Analysis Center, and is on the American Dental Associations WG-1 and MD 156 electronic medical records working groups. Larrys latest book is "Hackproofing XML," published by Syngress (Rockland, Mass.). If youve got a tip for Larry, contact him at

/zimages/5/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.