Cisco patches 3 year old security hole

IronPort appliances still had a Telnet vulnerability first discovered in December 2011

Cisco has patched a three-year-old vulnerability in its IronPort security appliances, according to this post from Threatpost. The hole, discovered by the FreeBSD Project in December 2011, is in Telnet in the AsyncOS operating system of those appliances.

If the Telnet service is enabled on a vulnerable appliance, a remote attacker can execute arbitrary code, Threatpost states.

The vulnerability was widely publicized once discovered, and there has been a Metaspolit module available to exploit it for years, Threatpost notes. But Glafkos Charalambous, a security researcher, recently discovered that the bug was still present in several of Cisco’s security boxes, including the Web Security Appliance, Email Security Appliance and Content Security Management Appliance.

Cisco issued an advisory last week on it:

The vulnerability is due to insufficient boundary checks when processing telnet encryption keys. An unauthenticated, remote attacker could exploit this vulnerability by sending malicious requests to a targeted system. If successful, the attacker could execute arbitrary code on the system with elevated privileges.

Cisco has issued software fixes to patch the AsyncOS software, and also recommends workarounds to mitigate the threat.

More from Cisco Subnet:

Startups look to eliminate routers, switches

Cisco bulks up branch routers for clouds

HP launches SDN App Store

Broadcom unveils 25G Ethernet, SDN optimized chip

Cisco pumping $1 billion more into Intercloud

Cisco names new security chief after Young departs

Chambers again dashes EMC speculation

Why Cisco lost two key officials in data center, cloud

Brocade unveils OpenDaylight SDN controller

Cisco acquires OpenStack cloud provider

Follow all Cisco Subnet bloggers on Twitter.Jim Duffy on Twitter

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10