Cover V11, I03

Article
Sidebar

mar2002.tar

Other Cisco IOS Vulnerabilities

In addition to the Cisco IOS HTTP Authorization Vulnerability, several other security-related vulnerabilities have been discovered in recent IOS versions. Here are brief descriptions of a few of those vulnerabilities, along with how each one can be eliminated. Notice that most of these vulnerabilities would not be present in an environment where strong IOS security measures are in place.

  • Three different SSH vulnerabilities were announced in a single advisory. The most severe of the three could permit SSH sessions to be decrypted. The only reasonable option for eliminating this vulnerability is to upgrade IOS to a non-vulnerable version. An alternative option is to disable SSH access, but this will likely introduce more serious security problems by forcing administrators to use telnet and other cleartext connection methods, so it should only be done as a last resort if it's simply not possible to immediately update the IOS.
  • An attacker can crash a device that has the Point-to-Point Tunneling Protocol (PPTP) enabled by sending an abnormal PPTP packet to it. Similar to the SSH vulnerability, the options in this case are to disable PPTP or to upgrade the IOS version. Of course, if the device does not need to be running PPTP, it should have already been disabled.
  • One IOS vulnerability only affected the Cisco 6400 Access Concentrator Node Route Processor 2 (NRP2). If a VTY did not have a password set, anyone could access it via telnet. As with the other vulnerabilities, it can be eliminated by upgrading the IOS to a non-vulnerable version. The quick fix is to set passwords for each VTY. As mentioned earlier, you should either have authentication properly configured for a VTY or disable interactive logins on it.
  • Certain IOS versions do not properly handle connection attempts to certain TCP port numbers. After such an attempt, the router will reload the next time that its configuration information is accessed. The port numbers related to this vulnerability are unused by IOS, so there shouldn't be any legitimate attempts to contact them. Of course, upgrading to a non-vulnerable IOS version will eliminate the vulnerability; also, implementing firewall rules and router ACLs to block such connection attempts to routers could also reduce the risk of an exploit attempt.