Cisco issues raft of security warnings

By Chad Berndtson on Sep 30, 2011 8:40 AM
Filed under Communications

Covers IOS software, switches, routers, UC Tools and IPv6.

Cisco this week released a massive set of security advisories detailing 10 separate vulnerabilities in some of its major software and unified communications products. It's one of the broadest sets of security advisories Cisco has made all year.

The specific vulnerabilities, detailed on the Security Advisory section of Cisco's corporate web site, includes a denial of service (DOS) vulnerability in Cisco's IOS IP Service Level Agreement feature. That vulnerability is triggered when, according to Cisco, "malformed UDP packets are sent to a vulnerable device." Cisco released software updates to address the vulnerability.

Another vulnerability is detailed for Cisco's 10000 Series Router, in which an attacker can cause a device reload by sending a series of ICMP packets. Cisco released software updates, and in its security bulletin, also said workarounds are available to protect the routers.

Next up is a vulnerability in the Smart Install feature of Cisco Catalyst Switches running Cisco IOS Software. According to Cisco, which again released free software to combat the problem, an unauthenticated, remote attacker could be able to perform remote code execution on affected devices.

Another vulnerability is in Cisco's Unified Communications Manager, which according to Cisco contains a "memory leak vulnerability that could be triggered through the processing of malformed Session Initiation Protocol (SIP) messages." Free software is coming from Cisco for supported UCM versions, and there is an existing workaround, as well.

More vulnerabilities include the Data-Link Switching feature in Cisco's IOS software, multiple DoS vulnerabilities in the network address translation (NAT) feature of IOS specific to NetMeeting Directory, SIP and H.323, and the IPv6 protocol stack implementation in IOS. Free software updates from Cisco address all, the company stated.

Additional DoS vulnerabilities exist in the SIP implementation in IOS and also Cisco's IOS XE Software, Cisco said. Free software releases cover the vulnerabilities, and while there aren't workaround available for devices that must run SIP, Cisco said mitigations can "limit exposure to the vulnerabilities."

The last vulnerability mentioned by Cisco in this week's update concerns the Jabber Extensible Communications Platform and Cisco Unified Presence. A DoS vulnerability exists in both through which an unauthenticated, remote attacker could send malicious XML to an affected server, Cisco said. There are no workarounds available, Cisco said.

This article originally appeared at crn.com

 
Follow us on Facebook and Twitter
 

Copyright © 2014 The Channel Company, LLC. All rights reserved.

Cisco issues raft of security warnings
 
 
 
 
 
Top Stories
Cloud office vendor taps Ingram for Aussie assault
Intermedia 'gets serious' in Australia, hires first local employee.
 
Sydney firm achieves first in SAP-owned marketplace
UltraServe the only cloud platform provider on Hybris Extend.
 
Avnet holds onto x86 in post-IBM era
Lenovo authorises distie globally.
 
Sign up to receive CRN email bulletins
   FOLLOW US...
Polls
Is Microsoft right to limit the reseller channel for Surface?

Latest Comments
CRN Magazine

Issue: 331 | September 2014

CRN Magazine looks in-depth at the emerging issues and developments for the channel, and provides insight, analysis and strategic information to help resellers better run their businesses.