Cisco has patched a three-year-old vulnerability in its IronPort security appliances, according to this post from Threatpost. The hole, discovered by the FreeBSD Project in December 2011, is in Telnet in the AsyncOS operating system of those appliances.
If the Telnet service is enabled on a vulnerable appliance, a remote attacker can execute arbitrary code, Threatpost states.
The vulnerability was widely publicized once discovered, and there has been a Metaspolit module available to exploit it for years, Threatpost notes. But Glafkos Charalambous, a security researcher, recently discovered that the bug was still present in several of Cisco’s security boxes, including the Web Security Appliance, Email Security Appliance and Content Security Management Appliance.
Cisco issued an advisory last week on it:
The vulnerability is due to insufficient boundary checks when processing telnet encryption keys. An unauthenticated, remote attacker could exploit this vulnerability by sending malicious requests to a targeted system. If successful, the attacker could execute arbitrary code on the system with elevated privileges.
Cisco has issued software fixes to patch the AsyncOS software, and also recommends workarounds to mitigate the threat.
More from Cisco Subnet: