Cisco IOS gets fixes for 12 DoS bugs

Cisco releases 9 advisories to address 13 vulnerabilities on March patch day as part of its bi-annual IOS patching exercise.

Cisco released its semi-annual IOS software security advisory bundled publication as part of its bi-annual patch release last week. This IOS patch update includes nine security advisories which cover a total of 13 vulnerabilities, 12 of which are DoS vulnerabilities. The last major IOS patch was released by Cisco in September 2011.These advisories address vulnerabilities in different components of Cisco’s IOS framework, with all the vulnerabilities scoring a CVSS base score between 7.1 and 8.5. The highest scored vulnerability at 8.5 is a command authorization bypass bug in IOS, which may allow arbitrary command execution from a remote application or device while using authentication, authorization and accounting (AAA) authorization.

Cisco IOS Software Zone-Based Firewall suffers from four DoS vulnerabilities that have been patched. All four have a CVSS score of 7.8, and involve the H.323 inspection engine (firewall HTTP inspection engine), a crafted IP packets based bug, and a session initiation protocol engine issue.

Other DoS vulnerabilities are present in in the following IOS software components:

The consolidated advisory is available here. Cisco’s IOS software checker tool can be used to check if a particular IOS software release is vulnerable. This tool does not support IOS XE and interim builds of the IOS platform.

Read more on Data breach incident management and recovery