Cisco issues 11 security alerts for IOS, plus one for Cisco Unified Communications Manager

In its second Patch Wednesday under its new six-monthly patch schedule for IOS Cisco today plugged 11 security holes in its network operating system, as well as addressing a vulnerability in Cisco Unified Communications Manager. The IOS vulnerabilities affect IOS running protocol-independent multicast, SIP, MPLS, SSL, and more.

* Cisco says two crafted Protocol Independent Multicast (PIM) packet vulnerabilities exist in Cisco IOS software that may lead to a denial-of-service (DoS) attack. Cisco has released free software updates as well as published workarounds for this problem. In addition to the problem affecting IOS configured for PIM, Cisco 12000 Series (GSR) routers running Cisco IOS Software have a second vulnerability related to a crafted PIM packet, according to Cisco in its advisory about the issue.

* Cisco has released patches to plug multiple vulnerabilities that affect the Session Initiation Protocol (SIP) implementation in IOS that can be exploited remotely to trigger a memory leak or to cause a reload of the IOS device. There are no workarounds for this problem other than disabling the protocol or feature itself, says Cisco in its advisory about this issue.

* IOS Multi Protocol Label Switching (MPLS) Forwarding Infrastructure (MFI) is vulnerable to DoS attacks from specially crafted packets, according to Cisco. Only the MFI is affected by this vulnerability, while the older Label Forwarding Information Base (LFIB) implementation, which is replaced by MFI, is not affected, Cisco notes in its advisory about this problem. Free software upgrades are available from Cisco to address this hole. Disabling MPLS could limit exposure to the problem but this action would not be possible in sites that require MPLS in use, Cisco says.

* Cisco also warned that an IOS device could crash during the termination of an SSL-based session.  The offending packet is not malformed and is normally received as part of the packet exchange, says Cisco. Free patches are available in Cisco's security advisory about this problem, though no workarounds are available.

* A hole in IOS' implementation of Layer 2  Tunneling Protocol (L2TP) could result in a reload of the device when processing a specially crafted L2TP packet, reports Cisco. According to Cisco, several features enable the L2TP mgmt daemon process within IOS, including but not limited to Layer 2 virtual private networks (L2VPN), Layer 2 Tunnel Protocol Version 3 (L2TPv3), Stack Group Bidding Protocol (SGBP) and Cisco Virtual Private Dial-Up Networks (VPDN). Once this process is enabled the device is at risk, Cisco says. Software patches are available to address this, as are workarounds.

* Hackers could gain control of Cisco uBR10012 series devices because they automatically enable SNMP read/write access to the device if configured for linecard redundancy, Cisco reports. Patches and workarounds are available to mitigate this problem which only affects devices that are configured for linecard redundancy.

* Cisco 10000, uBR10012 and uBR7200 series devices could be open to a DoS attack because they use a User Datagram Protocol (UDP) based Inter-Process Communication (IPC) channel that is externally reachable, Cisco warns. Software patches and workarounds are available to address this problem.

* IOS MPLS VPN may leak information, warns Cisco. Devices running Cisco IOS versions 12.0S, 12.2, 12.3 or 12.4 and configured for MPLS VPNs or VPN Routing and Forwarding Lite (VRF Lite) and using Border Gateway Protocol (BGP) between customer edge and provider edge devices may permit information to propagate between VPNs, Cisco reports in its advisory. This issue is triggered by a logic error when processing extended communities on the provider edge device though the problem cannot be deterministically exploited by an attacker, Cisco says. Patches and workarounds are available.

* A vulnerability in IOS' intrusion prevention system feature could cause a router to crash or hang, resulting in denial-of-service, according to Cisco in its alert. The vulnerability is based on the processing of certain IPS signatures that use the SERVICE.DNS engine. Software updates and workarounds are available. Cisco adds that this problem is not related to the DNS cache poisoning problem that was reported earlier this month.

* IOS software configured for IOS firewall Application Inspection Control (AIC) with an HTTP configured application-specific policy are vulnerable to a denial-of-service when processing a specific malformed HTTP transit packet, according to Cisco in its alert. The result could be a reload of the affected device, it adds. This vulnerability affects IOS software release 12.4(9)T. Software patches and workarounds are available. 

* A series of segmented Skinny Call Control Protocol (SCCP) messages may cause a Cisco IOS device that is configured with the Network Address Translation (NAT) SCCP Fragmentation Support feature to reload, reports Cisco. Patches and workarounds are available.

* Two DoS vulnerabilities exist in the SIP implementation of the Cisco Unified Communications Manager. These vulnerabilities can be triggered while processing specific and valid SIP messages and can lead to a reload of the main Cisco Unified Communications Manager process, reports Cisco in its advisory. Version 4.x of Cisco Unified CallManager do not have SIP enabled by default unless a SIP trunk is configured, according to Cisco. Versions 5.x and later of the Cisco Unified Communications Manager have SIP is enabled by default and cannot be disabled, Cisco adds. The company has yet to release fixes to this problem and there are no workarounds either. Cisco says it will update its advisory once fixes are available.

Cisco announced in March that it would be adopting a twice-a-year patch cycle for IOS, scheduled for the fourth Wednesday of March and September. In its March cycle, Cisco released five alerts that affected Cisco IOS Multicast VPN (MPVN);  IOS with OSPF, MPLS VPN, and Supervisor 32, Supervisor 720, or Router Switch Processor 720; IOS user datagram protocol delivery; and IOS' Data-link Switching feature.

More Cisco security alerts

More Cisco security responses

More from Cisco Subnet:
* Gartner advises WAAS customers to proceed with caution
* Cisco issues 11 security alerts for IOS
* Cisco home page skipped the letter 't'
* A hacker changed my server password - now what?
* Using JUNOS Macros
* Building a CUCME home lab series
Go to Cisco Subnet for more Cisco news, blogs, discussion forums, security alerts, book giveaways, and more.