Cisco this week issued three separate security advisories, warning customers of potential vulnerabilities in IOS-based products and WLAN gear.
The most critical IOS hole, tied to exploits revealed during a controversial IOS hacking presentation made at this summer’s Black Hat USA Conference, could allow attackers to use a Cisco router to run whatever programs or software code they choose. The WLAN issue involves an integration problem between Cisco access points and WLAN AP controllers from Airespace, which Cisco acquired in January. This bug could result in someone using a Cisco AP to launch attacks on a secured WLAN.
A third IOS problem involves a communication glitch between IOS routers running IPS features and management software, which could results in malicious traffic slipping into a network.
All three of the bugs were found by Cisco’s own security research team.
The IOS flaw, rated "critical" by the French Security Incident Response Team, has to do with the system timers that IOS uses to run certain operating system tasks. Under certain conditions, attackers may be able to take control of the router by tricking the system timers to run malicious code, Cisco said in a security advisory.
The IOS glitch was discovered "as a result of continued research to the demonstration of the exploit of another vulnerability which occurred in July 2005 at the Black Hat USA Conference," Cisco’s security advisory states. This exploit was revealed by former ISS security researcher Michael Lynn at Black Hat, even after his employer and Cisco pulled the presentation from the event. Cisco eventually got a court order to stop Lynn from talking about the flaw. Lynn resigned from ISS the week of the conference.
The weakness Lynn detailed involved a flaw in IOS that allows routers running IPv6 to be tricked into running outside code. To take over a Cisco router, attackers would need to successfully take advantage of both the earlier IPv6 problem and the system timer bug disclosed today, said John Noh, a Cisco spokesman. "In order to exploit the issue we're talking about today, you needed an additional way to attack," he said.
WLAN integration issues
The WLAN glitch Cisco details could affect users that deploying Cisco APs that are controlled by Airespace WLAN controller products. In such a setup, the Airespace controller would provide security, authentication and network management control for the APs, which operate basically as radios.
The products involved include Cisco 1200 1131 and 1240 series APs running Lightweight Access Point Protocol (LWAPP), and Cisco 2000 and 4400 series Airespace Wireless WLAN Controllers. In this scenario, an attacker could use the Airespace-controlled APs as a springboard for sending malicious traffic into an organizations secured WLAN. This attack would involve spoofing the MAC address of a machine already authenticated on the WLAN, so such an attack would probably involve someone with access to the corporate network.
Cisco says that customers using Airespace controllers to manage Cisco APs could switch the APs from LWAPP mode to “autonomous” mode, which would close this vulnerability. In autonomous mode, APs run either IOS or a VxWorks operating system and act as stand-alone endpoints, which must be configured individually. Users can also upgrade the software on the Airespace WLAN controller, which will fix the problem.
Rss FeedRss Feed
The Leader in Network Knowledge
Comment