09 August 2007, 15:54

Cisco fixes vulnerabilities in several products

Cisco reports vulnerabilities that may endanger stable operation in several of their products. Attackers can exploit these, for example to cause denial-of-service attacks or to inspect configuration or other data.

Due to a vulnerability, the Secure Copy Server implemented in Cisco's IOS network operating system allows access to all files stored on a device including the configuration files, which contain encrypted passwords. A valid account is necessary for access, but administrator privileges are not required. By default, though, SCP is deactivated.

A vulnerability in the implementation of Next Hop Resolution Protocol (NHRP) under IOS can cause the router to restart. A crash of the IPv6 subsystem can also be provoked in IOS using an IPv6 packet which has type 0 set in its routing header. Under certain circumstances, IOS also mistakenly copies data from the packet payload buffer into the header and attempts to send it. Type 0 has attracted attention because it may allow a firewall to be bypassed by source routing and possibly enable access to protected systems. For this reason, the developers of FreeBSD, OpenBSD and Linux deactivated the support of type 0 headers in IPv6 back in April.

Finally, Cisco refers to vulnerabilities that can be exploited when processing several IP telephony protocols under IOS. Apparently it is possible to cause the device to crash using specially prepared packets for Media Gateway Control Protocol (MGCP), the H.323 and H.254 signalling protocols and Real-time Transport Protocol (RTP). A vulnerability in the implementation of Session Initiation Protocol (SIP) that also causes a crash is present both in IOS and in the Cisco Unified Communications Manager.

Cisco has released updates that correct these problems for all affected products. Refer to the original advisories for more detailed information.