In association with heise online

24 January 2008, 11:20

Cisco appliances vulnerable to DoS attack

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Cisco has discovered vulnerabilities its 500 series PIX appliances 5500 series Adaptive Security Appliances (ASA) that attackers can exploit for denial-of-service attacks. The manufacturer also says that Application Velocity Systems (AVS) that have outdated software versions do not require a new password to be set when the administrator is set up.

In its security advisory Cisco explains that if the optional Time-to-Live (TTL) countdown feature is enabled on the device, the PIX and ASA appliances can be forced to reboot by crafted IP packets. Attackers can mount an extended denial of service attack on devices configured this way by bombarding them with such packets. Administrators can determine whether the feature is running by using the show running-config command and searching for the set connection decrement-ttl command, which is off by default.

A separate issue affects Cisco's Application Velocity System (AVS) web application accelerators. Their management consoles are shipped with a known default password, and outdated versions of the system software do not force users to set a new one when the devices are configured. This means attackers can get complete access to appliances which still use the default password. Products AVS 3110, 3120, 3180 and 3180A are affected.

Cisco provides links in their advisories to updated software that should fix the flaws. AVS version 5.10 requires you to change the system passwords when you login for the first time after installation. Software versions 7.2(3)6 and 8.0(3) and subsequent versions for ASA and PIX appliances handle IP packets properly when the TTL decrement option is enabled. Administrators are advised to install the updates as soon as possible and change passwords on AVS products.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit