Cisco discloses three security issues

Cisco last week issued three security advisories warning of potential vulnerabilities in some IOS-based products and wireless LAN gear.

The most critical IOS hole, tied to exploits revealed during a controversial IOS hacking presentation made at this summer's Black Hat USA Conference, could result in "remote-code execution" - or attackers using a Cisco router to run whatever programs or software code they choose.

The wireless-LAN issue involves an integration problem between Cisco access points and WLAN access point controllers from Airespace, which Cisco acquired in January. This bug could result in someone using a Cisco access point to launch attacks on a secured WLAN.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Cisco last week issued three security advisories warning of potential vulnerabilities in some IOS-based products and wireless LAN gear.

The most critical IOS hole, tied to exploits revealed during a controversial IOS hacking presentation made at this summer's Black Hat USA Conference, could result in "remote-code execution" - or attackers using a Cisco router to run whatever programs or software code they choose.

The wireless-LAN issue involves an integration problem between Cisco access points and WLAN access point controllers from Airespace, which Cisco acquired in January. This bug could result in someone using a Cisco access point to launch attacks on a secured WLAN.

A third problem involves a communication glitch between IOS routers running intrusion-prevention system features and security management software, which could result in malicious traffic slipping into a network.

All three bugs were found by Cisco's security research team and addressed in software fixes issued by the company (Links to advisories and patches).

The IOS flaw has to do with system timers that IOS uses to run certain operating system tasks. Under certain conditions, attackers may be able to take control of a router by tricking system timers to run malicious code, Cisco says.

The IOS glitch was discovered "as a result of continued research related to the demonstration of the exploit for another vulnerability which occurred in July 2005 at the Black Hat USA Conference," Cisco's security advisory states. This exploit was revealed by former ISS security researcher Michael Lynn, after his employer and Cisco canceled the presentation at the event. Cisco obtained a court order preventing Lynn from talking about the flaw.

The flaw in IOS allows routers running IPv6 to be tricked into running outside code. In the latest related vulnerability, attackers would need to take advantage of both the earlier IPv6 problem and the system-timer bug disclosed last week, says John Noh, a Cisco spokesman. "In order to exploit the issue we're talking about today, you needed an additional way to attack," he said.

The WLAN glitch could affect users deploying Cisco access points that are controlled by Airespace WLAN controller products. In such a setup, the Airespace controller would provide security, authentication and network management control for the access points, which operate as radios.

The products involved include Cisco 1200, 1131 and 1240 series access points running Lightweight Access Point Protocol (LWAPP), and Cisco 2000 and 4400 series Airespace wireless WLAN controllers. An attacker could use the Airespace-controlled access points as a springboard for sending malicious traffic into an organization's secured WLAN. This attack would involve spoofing the media access controller address of a machine authenticated on a WLAN, so such an attack would probably involve someone with access to the corporate network.

Cisco says customers using Airespace controllers to manage Cisco access points could switch the access points from LWAPP mode to "autonomous" mode, which would close this vulnerability. In autonomous mode, access points run IOS or a VxWorks operating system and act as stand-alone endpoints, which must be configured individually. Users also can upgrade the software on the Airespace WLAN controller, which will fix the problem.