In association with heise online

23 September 2010, 12:03

Cisco scheduled bug fixes

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

On Wednesday 22nd of September, as part of its bi-annual update schedule, Cisco issued six security advisories relating to various components of its switches and routers. Cisco's advisory listing also shows two September report updates and two advisories for August flagged as new.

The advisories address vulnerabilities in Cisco voice products and DoS holes in Cisco IOS and IOS XE software, which can be exploited remotely without authentication and without end-user interaction. Cisco says some of these vulnerabilities could possibly be exploited to crash an affected router. The IOS errors are in translation of H.323, SIP, IGMP, NAT packets and in SSL VPNs and can be exploited to remotely reboot a device. All that is needed to exploit the flaw is to send a packet to prepare a vulnerable device. This works for UDP-based protocols such as SIP, even with packets with spoofed return address - filtering for specific addresses is only partially effective.

Cisco has an update for IOS available to registered customers which corrects these errors. An error in the Unified Communications Manager also concerns SIP implementation and can be exploited remotely for DoS attacks. Versions 6, 7 and 8 are affected and Cisco has released updates to fix the problem.

Cisco's next scheduled update is for March the 23rd 2011.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit