Cisco's first patch day arrives
As recently announced, Cisco has organised its first patch day. Further patch days are scheduled to occur every six months. Cisco is bundling all its updates to the IOS router operating system and delivering them in one go to help administrators plan patch deployment, in a similar manner to Oracle and Microsoft. This time round, Cisco has published five security advisories.
Four of the patches plug denial-of-service holes in the router operating system. One update closes a vulnerability through which confidential data could be spied on.
Cisco routers on which Multi Protocol Label Switching (MPLS), Virtual Private Networking (VPN) and Open Shortest Path First (OSPF) are activated can block the packet queue, suffer a memory leak and on occasion be reset unintentionally. On machines that use Private Dial-up Network (VPDN) with the Point-to-Point Tunneling Protocol (PPTP), memory leaks can unexpectedly interrupt sessions and consume all the interface resources.
Another vulnerability may occur when IPv6 support is activated and specific IPv4 UDP services are running at the same time. Manipulated packages sent to routers can make the network interface stop accepting further packets, and if those packets are addressed to the Resource Reservation Protocol (RSVP) service, a router may even crash completely. Due to holes in Data-link Switching (DLSw), crafted UDP packets or packets using the RPC protocol 91 (Locus Address Resolution Protocol, LARP) can also reset the machine or cause memory leaks.
The last vulnerability report on this Cisco patch day refers to a hole in the Multicast Virtual Private Network (MVPN), through which attackers can access confidential data, By sending manipulated messages they can receive the actual protected multicast traffic – even from other Multiprotocol Label Switching VPNs.
The patches can now be downloaded by registered users using links given in the advisories. Administrators should apply the patches if they are using vulnerable versions of the software on their routers. Cisco names the affected versions and gives links to the updates in its security advisories. Cisco has provided a summary of the patches, which however hardly lives up to its name. It essentially gives links to the individual security advisories and contains a multipage table listing the vulnerable and non-vulnerable versions of the operating system.
- Combined IOS Table for March 26, 2008, Security Advisory Bundle, summary of Cisco's patches
- Vulnerability in Cisco IOS with OSPF, MPLS VPN, and Supervisor 32, Supervisor 720, or Route Switch Processor 720, Cisco security advisory
- Cisco IOS Virtual Private Dial-up Network Denial of Service Vulnerability, Cisco security advisory
- Cisco IOS Multicast Virtual Private Network (MVPN) Data Leak, Cisco security advisory
- Cisco IOS User Datagram Protocol Delivery Issue For IPv4/IPv6 Dual-stack Routers, Cisco security advisory
- Multiple DLSw Denial of Service Vulnerabilities in Cisco IOS, Cisco security advisory