News

Cisco Discloses Serious IOS Flaw

Cisco Systems Inc. last week alerted users to multiple vulnerabilities in the Secure Shell (SSH) server implementation that ships with version 12.4 of its Internetwork Operating System (IOS).

In some cases, Cisco warned, a malicious attacker could exploit a flaw in the IOS SSH implementation to trigger denial of service (DoS) and reload the device.

Elsewhere, Cisco confirmed, attackers can exploit its IOS SSH implementation to generate spurious memory access errors. If an attacker is able to repeatedly reboot an IOS device, extended DoS could result, Cisco warned.

Cisco lists the IOS SSH daemon (SSHd) as an "optional" service, but its use is nonetheless highly recommended, because SSH facilitates secure command-line connectivity to IOS devices. Not all IOS devices are affected. According to Cisco, certain devices powered by IOS version 12.4 (and running SSH) may be affected. Versions of IOS prior to IOS 12.4 (including all 10.x and 11.x releases), as well as Cisco IOS XR are not affected, according to Cisco.

Cisco has published a software update and recommends any of workarounds for customers that don't wish to update their software. The first and most obvious workaround, according to Cisco representatives, is to disable the IOS SSHd. Users can also configure VTY access classes to allow only trusted hosts to establish SSH connections. Elsewhere, Cisco said, users can configure infrastructure Access Control Lists (iACL), a recommended security best practice, to restrict network traffic from targeting infrastructure devices.

In addition, Cisco said, customers can tap TELNET as an insecure alternative to SSH.

According to Cisco, the SSHd flaws were discovered internally or as a result of customer service requests. As a result, Cisco said it does not know of any malicious activity associated with the SSHd flaws.

About the Author

Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.

Featured

  • Microsoft Starting To Roll Out New Excel Connected Data Types

    Microsoft on Thursday announced some Excel and Power BI enhancements that add "connected data types" on top of the standard strings and numbers options.

  • Windows 10 Users Getting New Process for Finding Optional Driver Updates

    Accessing Windows 10 drivers classified as "optional updates" will be more of a manual seek-and-install type of experience, starting on Nov. 5, 2020, Microsoft explained in a Wednesday announcement.

  • Microsoft Changes Privacy Platform Name to SmartNoise

    Microsoft Research has changed the name of its "differential privacy" platform from "WhiteNoise" to "SmartNoise," according to a Wednesday announcement.

  • Why Restarting a Failed SCVMM Job Might Be a Bad Idea

    Occasionally, restarting a failed System Center Virtual Machine Manager job can leave your virtualization infrastructure in an unknown state. Here's how to avoid that.

comments powered by Disqus