Cisco patches against network authorisation flaw


Cisco patches against network authorisation flaw

Antony Savvas

Cisco Systems has patched a hole in it main operating switch and router operating system which could allow users to get access to network privileges above their authorisation.

In addition, Cisco has patched against a known hole in some of its virtual private networking systems, which could allow remote attackers to cause a denial of service attack.

The authorisation problems occur in Cisco’s main Internetwork Operating System (IOS), which is used in most of Cisco’s switches and routers.

The company has issued a patch to prevent users employing the Tcl (Tool Command Language) exec shell to get around the Authentication, Authorization and Accounting (AAA) command authorisation feature in kit.

A user employing the Tcl exec shell could use that access to execute commands above their privilege level.

In addition, if Tcl users terminate their sessions without leaving the Tcl Shell mode (by using the tclquit command), that shell process remains active, and allows other authenticated users to also bypass the AAA command authorisation checking.

The vulnerability affects all Cisco products running Cisco IOS Version 12.0T or later. To take advantage of the flaw, support for the Tcl functionality has to be enabled on the kit, and the AAA command authorisation feature has to be enabled too.

In addition, Cisco has issued a patch on a previously reported denial of service threat, which affects Cisco VPN 3000 series kit running software 4.7.0 to 4.7.2.A.

If unpatched, a denial of service could be created by sending a malicious HTTP packet to the VPN kit, causing it to continue to re-load, resulting in crashed networks.

Email Alerts

Register now to receive IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy