Cisco issues fresh security warning

Red-faced networking giant Cisco has been forced to issue a fresh warning to customers that its routers can crash when tested for vulnerabilities by security scanning software programs.

The defect, caused by a fault in Cisco's IOS (Internet Operating System) software, can be exploited to produce a consistent denial of service (DoS) attack.

The defect came to light two months ago but users are still being affected.

Cisco customers using the affected IOS software releases - which include 11.3AA, and a number of 12.0 releases up to and including 12.0(6) - are urged to upgrade as soon as possible to later versions, which are not vulnerable to the defect.

Richard Stagg, senior security architect at Information Risk Management, said Cisco is blaming security tools for this issue when the problem is far wider. "Cisco is obfuscating the fact that its routers have a weakness to denial of service attacks. The idea that these denial of service attacks can be triggered by security scans is even more embarrassing," said Stagg.

The DoS aspect of the flaw was discovered by several Cisco customers while they were conducting security scans of their networks. However, Cisco said it has still received no reports of malicious exploitation of the flaw.

Cisco's advisory notice states: "The defect can be used to mount a consistent and repeatable denial of service attack on any vulnerable Cisco product, which may result in violations of the availability aspects of a customer's security policy. This defect does not cause the disclosure of confidential information nor allow unauthorised access."

The flaw in IOS is exposed when unspecified security scanners test for the presence of two specific vulnerabilities that affect certain Unix-based systems. These vulnerabilities are unrelated to Cisco IOS software.

However, a side effect of the tests means that a router can crash without warning.

During the test, the scanning program invokes the Telnet Environ option #36, before the router is ready to accept it. This causes the router to reset itself unexpectedly.

In lieu of a software upgrade, Cisco has detailed workarounds. These involve setting up an interactive log-in capability without using the Telnet service, thus mitigating the threat.

This vulnerability affects a wide range of Cisco's hardware line, including series access servers, routers, access products and voice gateway products that are still running the vulnerable software.