Flaw revealed in Cisco IOS software

Cisco Systems Inc. has warned customers of a flaw in its Internetwork Operating System (IOS) software that could compromise the integrity of TCP (Transmission Control Protocol) traffic sent to and from its routers and switches.

The vulnerability exists in 11.x and 12.x versions of the company’s IOS, and hence affects all Cisco routers and switches running the software, said Andrew Sage, director of marketing for Cisco Canada in Toronto. Cisco’s data networking equipment is the most widely used to carry traffic on the Internet.

The security flaw can allow the successful prediction of TCP Initial Sequence Numbers, Cisco said. Such numbers are supposed to be randomly generated by a sending machine and its receiving host as part of setting up a new IOS connection. Once the initial transmission is established, a sequence number is created based on the amount of data transmitted.

However, if the initial number is not random, then it is possible “with varying degrees of success, to forge one half of a TCP connection with another host in order to gain access to that host, or hijack an existing connection between two hosts in order to compromise the contents of the TCP connection,” Cisco said in the advisory.

Sage said none of Cisco’s customers worldwide had reported any attacks because of the vulnerability. However, one analyst noted that with so much of the Internet running on Cisco equipment, any problem with its networking gear has the potential to become significant.

“Anything that poses a flaw to Cisco is something to be alarmed about, since they control about 80 percent of the router market,” said Irwin Lazar, senior consultant with analyst firm The Burton Group Corp.

“The biggest issue out there is that people don’t want to just slap an IOS upgrade in their routers without testing it first, in case another problem popped up when they corrected this one,” he added.

The flaw affects the security only of TCP connections that originate or terminate on the Cisco device itself, not of any traffic that passes through the device in transit, Cisco said. The vendor is offering free software upgrades for affected customers.

Cisco Systems, in San Jose, Calif., can be reached at http://www.cisco.com/.