Cisco issues raft of security warnings

By Chad Berndtson on Sep 30, 2011 8:40 AM
Filed under Communications

Covers IOS software, switches, routers, UC Tools and IPv6.

Cisco this week released a massive set of security advisories detailing 10 separate vulnerabilities in some of its major software and unified communications products. It's one of the broadest sets of security advisories Cisco has made all year.

The specific vulnerabilities, detailed on the Security Advisory section of Cisco's corporate web site, includes a denial of service (DOS) vulnerability in Cisco's IOS IP Service Level Agreement feature. That vulnerability is triggered when, according to Cisco, "malformed UDP packets are sent to a vulnerable device." Cisco released software updates to address the vulnerability.

Another vulnerability is detailed for Cisco's 10000 Series Router, in which an attacker can cause a device reload by sending a series of ICMP packets. Cisco released software updates, and in its security bulletin, also said workarounds are available to protect the routers.

Next up is a vulnerability in the Smart Install feature of Cisco Catalyst Switches running Cisco IOS Software. According to Cisco, which again released free software to combat the problem, an unauthenticated, remote attacker could be able to perform remote code execution on affected devices.

Another vulnerability is in Cisco's Unified Communications Manager, which according to Cisco contains a "memory leak vulnerability that could be triggered through the processing of malformed Session Initiation Protocol (SIP) messages." Free software is coming from Cisco for supported UCM versions, and there is an existing workaround, as well.

More vulnerabilities include the Data-Link Switching feature in Cisco's IOS software, multiple DoS vulnerabilities in the network address translation (NAT) feature of IOS specific to NetMeeting Directory, SIP and H.323, and the IPv6 protocol stack implementation in IOS. Free software updates from Cisco address all, the company stated.

Additional DoS vulnerabilities exist in the SIP implementation in IOS and also Cisco's IOS XE Software, Cisco said. Free software releases cover the vulnerabilities, and while there aren't workaround available for devices that must run SIP, Cisco said mitigations can "limit exposure to the vulnerabilities."

The last vulnerability mentioned by Cisco in this week's update concerns the Jabber Extensible Communications Platform and Cisco Unified Presence. A DoS vulnerability exists in both through which an unauthenticated, remote attacker could send malicious XML to an affected server, Cisco said. There are no workarounds available, Cisco said.

This article originally appeared at

Follow us on Facebook and Twitter

Copyright © 2015 The Channel Company, LLC. All rights reserved.


Cisco issues raft of security warnings
Top Stories
Harvey Norman acquires Mac1 from Dick Smith
Apple reseller changes hands again.
David Shein sells Sydney waterfront houses in $70m deal: report
ComTech, Dimension Data veteran involved in Vaucluse mega-sale.
Sign up to receive CRN email bulletins
Meeting which tech founder would leave you most starstruck?

Latest Comments
CRN Magazine

Issue: 347 | March 2016

CRN Magazine looks in-depth at the emerging issues and developments for the channel, and provides insight, analysis and strategic information to help resellers better run their businesses.