Cisco IOS vanishes down another security hole

Cisco Systems has warned that its IOS router operating system software is vulnerable to another serious security flaw, affecting the authentication system for FTP and telnet connections. The flaw could allow attackers to take over or repeatedly crash devices running the widely used operating system.

The warning follows on the heels of a controversy that saw Cisco using legal action against a security researcher to prevent him from disclosing techniques for exploiting Cisco routers. The problem was serious enough for security giant Symantec to raise its overall Internet danger level a notch.

The problem affects the Cisco IOS Firewall Authentication Proxy for FTP and/or Telnet Sessions, a feature allowing administrators to set security profiles for individual users logging on to network services via FTP or telnet. The software is vulnerable to a common type of bug - a buffer overflow - when a user remotely creates a TCP connection to an affected IOS device.

"Successful exploitation of the vulnerability on Cisco IOS may result in a reload of the device or execution of arbitrary code," Cisco said in its advisory. "Repeated exploitation could result in a sustained DoS attack or execution of arbitrary code on Cisco IOS devices."

Devices aren't affected if they don't have the Firewall Authentication Proxy for FTP and/or Telnet configured; administrators can get around the problem by instead deploying authentication services for HTTP and HTTPS, Cisco said.

Affected versions include IOS 12.2ZH, IOS 12.2ZL, IOS 12.3, IOS 12.3T, IOS 12.4 and IOS 12.4T. IOS versions that have been confirmed not to be vulnerable include IOS XR and IOS versions 12.2 and earlier, including 12.0S, Cisco said.

Cisco made patches available on its website, giving details in its advisory, at http://www.cisco.com/warp/public/707/cisco-sa-20050907-auth_proxy.shtml

Cisco is the biggest maker of routers and other networking equipment, making vulnerabilities in its products all the more potentially dangerous.

This contributed to the uproar when Cisco took legal action to block disclosure of a technique for cracking its routers. A few days after Cisco's action, an attacker breached the company's website security, forcing the company to reset all user and customer passwords.

The bad publicity may have actually added to the likelihood of attacks on Cisco routers, according to security giant Symantec. The security firm on Wednesday raised its Internet danger level rating from Level 1 to Level 2 in response to the IOS bug disclosure, and warned that attackers have been keeping an eye on Cisco since the summer's earlier events.

"Given the recent attention to exploitation of vulnerabilities in Cisco's IOS it is possible that this issue will see attempts at exploit development in the near term," Symantec said in an advisory to customers of its DeepSight Threat Management System.

Users can also mitigate the threat by blocking external access to affected devices, Symantec said in a public advisory.

FrSIRT, the French Security Incident Response Team, which collates security advisories, gave the flaw a "critical" rating, its most serious. Its advisory is at http://frsirt.com/english/advisories/2005/1669

Cisco warned of a problem with two of its widely used security systems in August. A problem surfaced with Cisco's VOIP systems in July.