Cisco Systems Inc. (Nasdaq: CSCO) issued three security advisories today, including one allowing the possible takeover of an IOS XR router.
IOS XR is the operating system for the CRS-1 and XR 12000 lines of routers. It's a modular operating system, as is JunOS from Juniper Networks Inc. (NYSE: JNPR), as opposed to the non-modular IOS that runs on most of Cisco's routers. (See Cisco Unveils the HFR and Cisco's CRS-1 Gets Edgy.)
The "Crafted IP Option Vulnerability," as Cisco calls it, can be used to start a denial of service (DOS) attack on a router, possibly leaving it open for "arbitrary code execution," as Cisco's advisory puts it.
The Crafted IP Option Vulnerability advisory can be found here.
This appears to be the first time Cisco has found a DOS loophole specific to IOS XR. But it isn't the first vulnerability discovered in IOS XR.
An alert in April noted several IOS XR flaws related to MPLS, although it didn't indicate that the problems could be exploited to create a DOS attack. A few alerts related to DOS attacks on IOS, such as one having to do with the Internet Control Message Protocol (ICMP), have the potential to affect IOS XR as well.
Cisco's two other advisories today relate to plain old IOS.
One is a TCP vulnerability that can be exploited in a DOS attack; that one appears to affect all IOS release 12.0 versions. An IPv6 header vulnerability, where a specially crafted header can crash a router, affects only certain 12.0 versions. Cisco has issued a free fix for both IOS vulnerabilities.
Craig Matsumoto, West Coast Editor, Light Reading