Security threats Toolkit

Cisco releases patches for router vulnerabilities

Dawn Kawamoto CNET News

Published: 25 May 2007 09:43 BST

Cisco has released a security patch to fix vulnerabilities in a number of its products that are at risk of a denial-of-service attack.

The vulnerabilities are found in a third-party cryptographic library in Cisco IOS, Cisco IOS XR, Cisco PIX and ASA Security Appliances, Cisco Firewall Module and Cisco Unified CallManager products, according to a security advisory issued by Cisco.

The security flaws could allow attackers to send a few small packets through the routers to shut down the network in a denial-of-service (DoS) attack, said Johannes Ullrich, chief research officer for the Sans Institute, which issued a security notice on Wednesday.

"In most DoS attacks, you just send more traffic than the network can handle. But in this case, the attacker only has to send a few packets," Ullrich said. "That takes up less of their bandwidth and makes it very easy to resend these packets again and again."

The vulnerabilities can be exploited without a valid username or password, given some of the older Cisco products have the cryptographic library set to default. And, while attackers may be able to launch a DoS attack, they are not known to gain access to information that has already been encrypted, Cisco noted.

In its advisory, Cisco includes various links for downloading fixes, as well as offering suggestions for potential workarounds.

Although the vulnerabilities affect a wide range of Cisco products, no exploits have yet surfaced, Ullrich noted.

Cisco has issued several security advisories this year involving its routers. In January, the networking giant warned that it had found three security flaws in its software that operates its routers and switches. And, in February, Cisco alerted users that its intrusion prevention technology in its routers could be susceptible to an attack, due to vulnerabilities in its key operating system.