Cisco Systems has released seven security notes with a range of software fixes for network devices that run its IOS and IOS XE operating systems.
Dubbed an IOS Software Security Bundled Publication, It’s the first time the company has released a bundle of notices for both pieces of software as part of its twice a year vulnerability notifications.
The advisories cover
- Autonomic Network Infrastructure (ANI)
- Common Industrial Protocol (CIP)
- Multicast Domain Name System (mDNS)
- Virtual Routing and Forwarding (VRF)
- Internet Key Exchange Version 2 (IKEv2)
- Cisco IOS XE Software
The ANI feature of IOS and IOS XE — available in the Cisco ASR 901, 901S, and 903 Series Aggregation Services Routers as well as the Cisco ME 3600, 3600X, and 3800X Series Ethernet Access Switches — has multiple vulnerabilities which could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or gain limited command and control of the device, says one of the alerts. A software fix is available.
A vulnerability within the VRF subsystem of IOS could allow an unauthenticated, remote attacker to cause a denial of service condition, another advisory said. Only routers that have one or more physical interfaces assigned to a VRF interface are affected.
The IKE version 2 problem is due to a failure to properly process malicious ICMP version 4 (ICMPv4) messages received on a VRF-enabled interface. An attacker could exploit this vulnerability by submitting ICMPv4 messages designed to trigger the vulnerability on an affected device. When the ICMPv4 messages are processed, the packet queue of the affected interface may not be cleared, leading to a queue wedge. When a wedge occurs, the affected device will stop processing any additional packets received on the wedged interface. A software update has been issued.
IKEv2 is automatically enabled on devices running IOS/ IOS XE when the Internet Security Association and Key Management Protocol (ISAKMP) is enabled. These vulnerabilities can only be triggered by sending malformed IKEv2 packets.
IOS’s implementation of the Common Industrial Protocol (CIP) feature contains UDP and TCP denial of service vulnerabilities as well as a TCP packet memory vulnerability when processing crafted CIP packets that could be leveraged by an attacker. A software update will fix it.
In another problem, Cisco [Nasdaq: CSCO] said a vulnerability in the multicast DNS gateway function of any device running certain versions of IOS/IOS XE could allow an unauthenticated, remote attacker to reload the vulnerable device due to improper validation of mDNS packets. The solution is to update to a current version of the operating systems.
The TCP vulnerability is due to improper handling of certain crafted packet sequences used in establishing a TCP three-way handshake. It could be exploited by sending a crafted sequence of TCP packets while establishing a three-way handshake. A successful exploit could allow the attacker to cause a memory leak and eventual reload of the affected device.
Finally, IOS XE for the ASR 1000 Series Aggregation Services Routers (ASR), 4400 Series Integrated Services Routers (ISR), and Cloud Services Routers (CSR) 1000v Series contains several issues that can lead to a denial of service.
Network administrators can use the Cisco IOS Software Checker to quickly determine whether their IOS software releases have vulnerabilities. Note the checker doesn’t work for IOS XE.
The next Cisco IOS Software Security Advisory Bundled Publication is scheduled for Sept 23.