Cisco IOS vulnerabilities uncovered

Two sites may have scooped Cisco's March and September reporting cycles

Multiple vulnerabilities have cropped up in Cisco IOS that may necessitate an upgrade to IOS version 15.0(1)XA5. The vulnerabilities were reported in both Secunia and Help Net Security.

According to both, they are...

  • An error when processing certain IRC traffic can be exploited to cause a device reload by accessing an IRC channel within 36 hours of a reload;
  • An error in the Communication Manager Express (CME) component when handling a SNR number change menu from an extension mobility phone can be exploited to crash the device;
  • A memory leak when processing UDP SIP REGISTER packets can be exploited to exhaust memory resources via a specially crafted SIP packet;
  • An error in the PKI implementation does not clear the public key cache for the peers when the certificate map is changed. This can be exploited to reconnect and bypass the certificate ban;
  • A memory fragmentation error in the CME component when handling SIP TRUNK traffic can be exploited to exhaust memory resources via specially crafted SIP packets;
  • An error when handling multiple IPv6 router advertisements can be exploited to cause a device to reload by flooding it with random IPv6 router advertisements.

Both Web sites recommend updating to IOS version 15.0(1)XA5 as a solution. We could not locate a security advisory on these vulnerabilities on the Cisco site but Secunia cites this Cisco document as its source. Cisco does not release IOS security advisories until the fourth Wednesday of March and September of each calendar year.

More from Cisco Subnet:

Cisco's LineSider buy big for IT prize

Verizon 2010 Data Breach Report Is Eye Opening

What's at the core of Cisco's plight?

Cisco sends up a warning flare

TSHOOT Practice Questions - The Answers!

Cisco's 3QCY10 Global Threat Report Results

The Smart-Fat and Smart-Thin Edge of the Network

Upgrade Your Cisco Cert to an HP Cert

Win a five-book library from Cisco Press

Follow all Cisco Subnet bloggers on Twitter.Jim Duffy on Twitter


Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2011 IDG Communications, Inc.