Cisco patches IOS in major rollout, releases 10 security advisories

In a major patching exercise, Cisco released 10 security advisories along with patches, on Sept. 28, 2011. Eight of these advisories pertain to the IOS network operating system — the foundation for most of Cisco’s switches and routers. The last two advisories address flaws in Cisco’s Unified Communications Manager and the 10000 series routers. A total of 19 bugs have been patched.

In most cases, immediate patches are a requisite, due to lack of ad-hoc measures. Most of the vulnerabilities are Denial of service (DoS) flaws affecting various Cisco products, resulting from how IOS processes specially crafted packets and messages.

According to Cisco, flaws in IOS may cause device reboots/resets while encountering malformed IPv6 packets. This flaw may be exploited to perform a DoS attack on vulnerable devices. IOS also suffers from other IPv6 issues like an IPv6 over MPLS DoS vulnerability and ICMPv6 Packet Multiprotocol Label Switching DoS vulnerability. Details can be found here. A suggested workaround is to disable IPv6 functionality.

Cisco confirms that IOS’ intrusion prevention system (IPS) and Zone-based firewall is also vulnerable to attack. Flaws in IOS’ IPS and zone-based firewall could cause a device to become unstable and crash while performing packet inspection on specially crafted HTTP packets. This is due to a memory leak in the packet inspection mechanism and IOS’ processing of HTTP packets, according to Cisco. No workarounds are available to mitigate this issue.

A vulnerability in Cisco Unified Communications Manager — also present in IOS — is a session initiation protocol (SIP) packet handling flaw that can be exploited for a DoS attack. In addition, IOS also suffers from two more SIP flaws that result from memory leaks and incorrect handling of malformed SIP packets. The SIP protocol is used to provide VoIP and IPv6 services. A suggested workaround is to disable SIP, or vet devices using SIP to prevent spoofing.

According to Cisco’s advisories, multiple network address translation (NAT) vulnerabilities exist in the Cisco IOS Software when it comes to translation of LDAP, SIP and H.323 protocols. These flaws are caused by packets in transit, requiring application layer translation on the affected devices. These vulnerabilities may be exploited for DoS and include:

• IOS NetMeeting Directory LDAP processing flaw (CVE-2011-0946)
• IOS SIP/NAT vulnerability (CVE-2011-3276)
• IOS H.323 packet NAT bug(CVE-2011-3277)
• Two Cisco IOS SIP UDP packet NAT vulnerabilities (CVE-2011-3278 & CVE-2011-3280)
• MPLS packet NAT flaw (CVE-2011-3279).

The consolidated Cisco advisory can be referred here. Other vulnerabilities identified in IOS include a flaw in IOS’s data-link switching IP packet processing, a memory corruption vulnerability in IOS’s IP SLA and IOS’ smart install feature, which suffers from a remote code execution bug. The last advisory details an ICMP packet processing bug in the Cisco 10000 series router. This flaw is the result of errors in handling malformed ICMP packets, and may be exploited by an unauthenticated remote attacker for DoS.

While the advisories list affected devices, the nature of these vulnerabilities has been restricted to registered users. This is ostensibly to prevent the bugs being exploited in the wild, and give users time to plan patch rollouts. Cisco says that there is presently no evidence of the vulnerabilities being exploited in the wild and that these advisories are the results of internal tests on IOS. Cisco recommends using the Cisco IOS software checker to determine if an update is required. The complete advisory bundle is here