News

Cisco Discloses Serious IOS Flaw

Cisco Systems Inc. last week alerted users to multiple vulnerabilities in the Secure Shell (SSH) server implementation that ships with version 12.4 of its Internetwork Operating System (IOS).

In some cases, Cisco warned, a malicious attacker could exploit a flaw in the IOS SSH implementation to trigger denial of service (DoS) and reload the device.

Elsewhere, Cisco confirmed, attackers can exploit its IOS SSH implementation to generate spurious memory access errors. If an attacker is able to repeatedly reboot an IOS device, extended DoS could result, Cisco warned.

Cisco lists the IOS SSH daemon (SSHd) as an "optional" service, but its use is nonetheless highly recommended, because SSH facilitates secure command-line connectivity to IOS devices. Not all IOS devices are affected. According to Cisco, certain devices powered by IOS version 12.4 (and running SSH) may be affected. Versions of IOS prior to IOS 12.4 (including all 10.x and 11.x releases), as well as Cisco IOS XR are not affected, according to Cisco.

Cisco has published a software update and recommends any of workarounds for customers that don't wish to update their software. The first and most obvious workaround, according to Cisco representatives, is to disable the IOS SSHd. Users can also configure VTY access classes to allow only trusted hosts to establish SSH connections. Elsewhere, Cisco said, users can configure infrastructure Access Control Lists (iACL), a recommended security best practice, to restrict network traffic from targeting infrastructure devices.

In addition, Cisco said, customers can tap TELNET as an insecure alternative to SSH.

According to Cisco, the SSHd flaws were discovered internally or as a result of customer service requests. As a result, Cisco said it does not know of any malicious activity associated with the SSHd flaws.

About the Author

Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.

Featured

  • Office 365 Attack Simulator Now Supports Attachments

    The Attack Simulator in Office 365 tool has been updated and now has the ability to include message attachments in targeted campaigns, according to a Friday Microsoft announcement.

  • How To Disable Touch Input in Windows 10

    When the touchscreen on your Windows 10 laptop goes bad, there's no reason to throw that baby out with the bath water.

  • Microsoft Previews Windows VM Authentications via Azure Active Directory

    Microsoft on Thursday announced a preview of remote authentications into Windows-based Azure virtual machines (VMs) using Azure AD credentials.

  • Windows Server 20H1 Getting Smaller Containers and Faster PowerShell

    Microsoft is promising to deliver a smaller container size and improved PowerShell performance with its next release of Windows Server.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.