Cisco patches against network authorisation flaw

News

Cisco patches against network authorisation flaw

Antony Savvas

Cisco Systems has patched a hole in it main operating switch and router operating system which could allow users to get access to network privileges above their authorisation.

In addition, Cisco has patched against a known hole in some of its virtual private networking systems, which could allow remote attackers to cause a denial of service attack.

The authorisation problems occur in Cisco’s main Internetwork Operating System (IOS), which is used in most of Cisco’s switches and routers.

The company has issued a patch to prevent users employing the Tcl (Tool Command Language) exec shell to get around the Authentication, Authorization and Accounting (AAA) command authorisation feature in kit.

A user employing the Tcl exec shell could use that access to execute commands above their privilege level.

In addition, if Tcl users terminate their sessions without leaving the Tcl Shell mode (by using the tclquit command), that shell process remains active, and allows other authenticated users to also bypass the AAA command authorisation checking.

The vulnerability affects all Cisco products running Cisco IOS Version 12.0T or later. To take advantage of the flaw, support for the Tcl functionality has to be enabled on the kit, and the AAA command authorisation feature has to be enabled too.

In addition, Cisco has issued a patch on a previously reported denial of service threat, which affects Cisco VPN 3000 series kit running software 4.7.0 to 4.7.2.A.

If unpatched, a denial of service could be created by sending a malicious HTTP packet to the VPN kit, causing it to continue to re-load, resulting in crashed networks.


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy