Cisco Discloses Latest IOS Flaws

Cisco Systems Inc. (Nasdaq: CSCO) announced more security vulnerabilities in its Internetwork Operating System (IOS) last week.
Cisco issued two alerts on April 6. The first involves IPSec VPNs, where the extended authentication (Xault) messages for handling Internet Key Exchange (IKE) can be exploited to gain control of a router. The flaw pertains to versions of IOS that are running Cisco's Easy VPN Server application.
The other flaw is actually four vulnerabilities in one. (What a deal!) All four are scenarios that can cause a router to reload if Cisco's IOS Secure Shell (SSH) server and Terminal Access Controller Access Control System Plus (TACACS+) are being used for remote management.
The danger is that one of the flaws could be exploited repeatedly to put the router in a continual state of reset, effectively paralyzing it. This is one type of denial of service (DOS) attack, the kind of problem pertaining to most of Cisco's security advisories these days.
Three of the trouble scenarios for this second flaw involve specific sets of actions -- for example, a logged-in user attempting a "send" command while an SSH session is awaiting another user's login and password information. The fourth scenario involves a memory leak that can crop up if an invalid user name or password is received.
Cisco is providing free software patches to address both problems.
Cisco's policy is to announce such vulnerabilities as they are discovered. The security alerts can be found on Cisco's Web site at http://www.cisco.com/en/US/products/products_security_advisories_listing.html.
— Craig Matsumoto, Senior Editor, Light Reading
CALLING ALL SECURITY APPLIANCE MANUFACTURERS: Make sure your company and products are listed free of charge in Light Reading's forthcoming security directory by completing this questionnaire.
For further education, visit the archives of related Light Reading Webinars:
Cisco issued two alerts on April 6. The first involves IPSec VPNs, where the extended authentication (Xault) messages for handling Internet Key Exchange (IKE) can be exploited to gain control of a router. The flaw pertains to versions of IOS that are running Cisco's Easy VPN Server application.
The other flaw is actually four vulnerabilities in one. (What a deal!) All four are scenarios that can cause a router to reload if Cisco's IOS Secure Shell (SSH) server and Terminal Access Controller Access Control System Plus (TACACS+) are being used for remote management.
The danger is that one of the flaws could be exploited repeatedly to put the router in a continual state of reset, effectively paralyzing it. This is one type of denial of service (DOS) attack, the kind of problem pertaining to most of Cisco's security advisories these days.
Three of the trouble scenarios for this second flaw involve specific sets of actions -- for example, a logged-in user attempting a "send" command while an SSH session is awaiting another user's login and password information. The fourth scenario involves a memory leak that can crop up if an invalid user name or password is received.
Cisco is providing free software patches to address both problems.
Cisco's policy is to announce such vulnerabilities as they are discovered. The security alerts can be found on Cisco's Web site at http://www.cisco.com/en/US/products/products_security_advisories_listing.html.
— Craig Matsumoto, Senior Editor, Light Reading
CALLING ALL SECURITY APPLIANCE MANUFACTURERS: Make sure your company and products are listed free of charge in Light Reading's forthcoming security directory by completing this questionnaire.
For further education, visit the archives of related Light Reading Webinars:
- Security & VPNs
- Multi-Layered Security: Security in an Insecure World
- Implementing Managed Security Services
EDUCATIONAL RESOURCES

FEATURED VIDEO
UPCOMING LIVE EVENTS
February 7-9, 2023, Virtual Event
February 15, 2023, Virtual Event
March 15-16, 2023, Embassy Suites, Denver, CO
March 21, 2023, Virtual Event
May 15-17, 2023, Austin, TX
December 6-7, 2023, New York City
UPCOMING WEBINARS
February 7, 2023
Optical Networking Digital Symposium - Day 1
February 9, 2023
Optical Networking Digital Symposium - Day 2
February 14, 2023
Achieve Your Growth Potential with Next-Gen Content Delivery
February 15, 2023
Digital Divide Digital Symposium
February 16, 2023
SCTE® LiveLearning for Professionals Webinar™ Series: Getting the Edge on Edge Computing
Webinar Archive
PARTNER PERSPECTIVES - content from our sponsors
How 5G Thrives ASEAN Digital Economy
By Huawei
Capitalizing On 5G Innovation To Deliver Breakthroughs At The Edge
By Kerry Doyle, sponsored by ZTE
All Partner Perspectives