Cisco Finds Another Flaw
As usual, the problem can be exploited to create a denial of service (DOS) attack against a Cisco box. In this case, there's a chance it could also be used for an "arbitrary execution code attack," meaning the attacker could, in a sense, remotely take over the Cisco device in question.
The hole relates to certain versions of IOS's Firewall Authentication Proxy for FTP and/or Telnet Sessions, but doesn't apply to devices configured with only HTTP or HTTPS authentication. The vulnerability, exploitable by an attacker who has established a TCP connection with the device, occurs while IOS is authenticating a user coming in via FTP or Telnet.
Cisco offers a patch for many versions of IOS affected, with users of some older versions being told to migrate up. The company says it knows of no successful attacks that have exploited this problem.
DOS vulnerabilities, usually related to a buffer overrun, get announced by Cisco every couple of months, as the company routinely discloses the flaws it has found and patched (see Cisco Warns of TCP Timestamp Flaw, Cisco Discloses Latest IOS Flaws, and Cisco IOS Hole Points to VOIP Threat). But the ability to run arbitrary code on a Cisco device presents more dangerous possibilities for hacker sabotage.
That problem got plenty of attention with the Michael Lynn controversy earlier this summer. A former researcher with (ISS), Lynn spoke at the Black Hat Briefings conference saying he had found a way for attackers to run arbitrary code on an IOS device. Cisco had his talk excised from conference materials and won an injunction preventing Lynn from discussing the matter further (see Cisco Faces Security Flap, Cisco Reveals 'Black Hat' Flaw, and Feds Grant Cisco an Injunction).
— Craig Matsumoto, Senior Editor, Light Reading