News

Cisco Discloses Serious IOS Flaw

Cisco Systems Inc. last week alerted users to multiple vulnerabilities in the Secure Shell (SSH) server implementation that ships with version 12.4 of its Internetwork Operating System (IOS).

In some cases, Cisco warned, a malicious attacker could exploit a flaw in the IOS SSH implementation to trigger denial of service (DoS) and reload the device.

Elsewhere, Cisco confirmed, attackers can exploit its IOS SSH implementation to generate spurious memory access errors. If an attacker is able to repeatedly reboot an IOS device, extended DoS could result, Cisco warned.

Cisco lists the IOS SSH daemon (SSHd) as an "optional" service, but its use is nonetheless highly recommended, because SSH facilitates secure command-line connectivity to IOS devices. Not all IOS devices are affected. According to Cisco, certain devices powered by IOS version 12.4 (and running SSH) may be affected. Versions of IOS prior to IOS 12.4 (including all 10.x and 11.x releases), as well as Cisco IOS XR are not affected, according to Cisco.

Cisco has published a software update and recommends any of workarounds for customers that don't wish to update their software. The first and most obvious workaround, according to Cisco representatives, is to disable the IOS SSHd. Users can also configure VTY access classes to allow only trusted hosts to establish SSH connections. Elsewhere, Cisco said, users can configure infrastructure Access Control Lists (iACL), a recommended security best practice, to restrict network traffic from targeting infrastructure devices.

In addition, Cisco said, customers can tap TELNET as an insecure alternative to SSH.

According to Cisco, the SSHd flaws were discovered internally or as a result of customer service requests. As a result, Cisco said it does not know of any malicious activity associated with the SSHd flaws.

About the Author

Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.

Featured

  • Dell Sells RSA Assets for $2 Billion

    Dell's RSA security solutions businesses, including the RSA Conference, were bought by a consortium of companies for about $2 billion, according to Tuesday announcements.

  • How To Get Started as a Windows Insider

    Microsoft's Windows Insider program is invaluable for IT pros who want to test drive new Windows 10 features before the update rolls out to their entire organization. If you haven't already signed up to be an Insider, here's how to do it.

  • Old Fashioned Mics

    Microsoft Preps for RSA Conference with Multiple Security Product Announcements

    Microsoft announced various enterprise security solution product milestones this week in advance of the forthcoming RSA Conference, which will start on Feb. 24.

  • Office App for Android and iOS Phones Now Commercially Released

    Microsoft on Wednesday announced the worldwide "general availability" of its new Office App for both Android and iOS phones.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.