Cisco Systems has warned customers of a flaw in its Internetwork Operating System (IOS) software that could compromise the integrity of TCP (Transmission Control Protocol) traffic sent to and from its routers and switches.
The vulnerability exists in all released versions of IOS, and hence affects all Cisco routers and switches running the software, the company said in a security advisory issued on Wednesday. Cisco's data networking equipment is the most widely used to carry traffic on the Internet.
The security flaw can allow the successful prediction of TCP Initial Sequence Numbers, Cisco said. Such numbers are supposed to be randomly generated by a sending machine and its receiving host as part of setting up a new IOS connection. Once the initial transmission is established, a sequence number is created based on the amount of data transmitted.
However, if the initial number is not random, then it is possible "with varying degrees of success, to forge one half of a TCP connection with another host in order to gain access to that host, or hijack an existing connection between two hosts in order to compromise the contents of the TCP connection," Cisco said in the advisory.
The flaw affects the security only of TCP connections that originate or terminate on the Cisco device itself, not of any traffic that passes through the device in transit. Cisco said it is offering free software upgrades for affected customers.