Cisco patches security flaws in number of products

By Dawn Kawamoto
Staff Writer, CNET News

Share
- Digg
- Del.icio.us
- Reddit
- Facebook
- Google
- Newsvine
- Yahoo! Bookmarks
- Twitter
- Stumbleupon
E-mail
Print

Cisco patches security flaws in number of products

Related Stories: Cisco warns of more router vulnerabilities
February 14, 2007; Trio of Cisco flaws may threaten networks
January 25, 2007; Cisco squashes 'critical' Net attack bug
November 2, 2005

Cisco Systems has released a security patch to fix vulnerabilities in a number of its products that are at risk of a denial of service attack.

The vulnerabilities are found in a third-party cryptographic library in Cisco IOS, Cisco IOS XR, Cisco PIX and ASA Security Appliances, Cisco Firewall Module and Cisco Unified CallManager products, according to a security advisory issued by Cisco.

The security flaws could allow attackers to send a few small packets through the routers to shut down the network in a DOS attack, said Johannes Ullrich, chief research officer for the Sans Institute, which issued a security notice Wednesday.

"In most DOS attacks, you just send more traffic than the network can handle. But in this case, the attacker only has to send a few packets," Ullrich said. "That takes up less of their bandwidth and makes it very easy to resend these packets again and again."

The vulnerabilities can be exploited without a valid username or password, given some of the older Cisco products have the cryptographic library set to default. And while attackers may be able to launch a DOS attack, they are not known to gain access to information that has already been encrypted, Cisco noted.

In its advisory, Cisco includes various links for downloading fixes, as well as offering suggestions for potential workarounds.

Although the vulnerabilities affect a wide range of Cisco products, no exploits have yet surfaced, Ullrich noted.

Cisco has issued several security advisories this year involving its routers. In January, the networking giant warned that it had found three security flaws in its software that operates its routers and switches. And in February, Cisco alerted users that its intrusion prevention technology in its routers could be susceptible to an attack, due to vulnerabilities in its key operating system.

See more CNET content tagged:
Cisco Systems Inc., denial of service, security flaw, Cisco IOS, packet

Add a Comment (Log in or register) 2 comments

jean-sebastien@guay-leroux.com
by thierry.laval May 29, 2007 3:06 AM PDT: Fu ck me

jean-sebastien@guay-leroux.com; Reply to this comment

Bug ID
by allmyd1ps June 1, 2007 7:20 AM PDT: It would be nice to have a bug id or something a little more specific about this. Maybe a link to the patches? This is like saying that a restaurant selling food will make people sick... What restaurant? What food is it?... Crappy analogy but you get the point; Reply to this comment

Latest tech news headlines

Unisys hopes ex-Gateway chief can turn it around
Posted in News - Business Tech by Jennifer Guevin

October 7, 2008 7:35 PM PDT
CEA: Economy down, TV sales up
Posted in Crave by Leslie Katz

October 7, 2008 6:25 PM PDT
Click-to-buy links for songs, games added to YouTube
Posted in News - Digital Media by Jennifer Guevin

October 7, 2008 5:57 PM PDT
See all headlines

Resource center from News.com sponsors

You Need The Speed of Norton 2009

Introducing Norton Internet Security™2009

With one-click, one-minute install, under 8MB of memory usage and fewer, shorter scans, it's the fastest security suite anywhere. Norton. Smart Security, Engineered for Speed. Get a FREE trial today!

The Fastest Security Suite Anywhere

Experience the revolutionary Norton Internet Security™ 2009. With Norton™ Insight, a new feature, you get precision security that targets only at risk files for fewer, faster, shorter scans

Win a Trip to Space!*

Enter the Blast Off with Norton Sweepstakes for your shot at a trip to space. You could experience being fast and weightless, just like the new Norton 2009. *No purchase necessary; click for full details.

FREE Trial!

Act now to get your FREE trial of Norton Internet Security 2009. Try it for the protection. Love it for the speed

Norton Safe Web NEW!

A community-based system that rates web site safety

Norton Labs NEW!

Users can download new security technologies and share input directly with developers. Help us shape our future products!

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

Inside CNET News

Scroll Left Scroll Right

News - Business Tech
Unisys hopes ex-Gateway chief can turn it around
Struggling IT services company has chosen Edward Coleman, a man it says has a long history of transforming troubled tech companies, to take over as CEO.
Gallery
Photos: Messenger returns to Mercury
Crave
CEA: Economy down, TV sales up
Sales in flat-panel TVs and game hardware should do fine during the upcoming holidays, the Consumer Electronics Association says.
Outside the Lines
No escape from the perfect financial storm
After this perfect storm, brewed out of years of habit and taken down by mortgages for the masses, consumers and businesses will be far more conservative in their spending habits.
Video
Mercury exposed
News - Digital Media
Click-to-buy links for songs, games added to YouTube
YouTube is adding links to Amazon.com and the iTunes Store from the pages of thousands of its videos, making it easier for people to buy an MP3 they hear or a video game that looks good.
Video
DIY political ads proliferate
News - Politics and Law
CBS live Webcast: Presidential debate, round two
Continuing our coverage of Election 2008, CBS News and CNET are presenting a live Webcast of Tuesday's presidential debate, followed by Web-only analysis and commentary.
News - Cutting Edge
Astronaut training awaits Esther Dyson
The tech pundit and investor is girding for six months of training at Russia's Star City, as an understudy to International Space Station-bound Charles Simonyi.
Gallery
Photos: Top 10 reviews of the week
Crave
HTC Touch HD won't be coming to the U.S.
HTC announces that it will not bring the Touch HD smartphone to the United States.
Green Tech
Army plans 500-megawatt solar thermal farm
A new Army energy strategy includes plans for what could become the world's largest solar thermal farm, as well as geothermal and biomass-to-fuel projects.