May 24, 2007 3:15 PM PDT

Cisco patches security flaws in number of products

Cisco Systems has released a security patch to fix vulnerabilities in a number of its products that are at risk of a denial of service attack.

The vulnerabilities are found in a third-party cryptographic library in Cisco IOS, Cisco IOS XR, Cisco PIX and ASA Security Appliances, Cisco Firewall Module and Cisco Unified CallManager products, according to a security advisory issued by Cisco.

The security flaws could allow attackers to send a few small packets through the routers to shut down the network in a DOS attack, said Johannes Ullrich, chief research officer for the Sans Institute, which issued a security notice Wednesday.

"In most DOS attacks, you just send more traffic than the network can handle. But in this case, the attacker only has to send a few packets," Ullrich said. "That takes up less of their bandwidth and makes it very easy to resend these packets again and again."

The vulnerabilities can be exploited without a valid username or password, given some of the older Cisco products have the cryptographic library set to default. And while attackers may be able to launch a DOS attack, they are not known to gain access to information that has already been encrypted, Cisco noted.

In its advisory, Cisco includes various links for downloading fixes, as well as offering suggestions for potential workarounds.

Although the vulnerabilities affect a wide range of Cisco products, no exploits have yet surfaced, Ullrich noted.

Cisco has issued several security advisories this year involving its routers. In January, the networking giant warned that it had found three security flaws in its software that operates its routers and switches. And in February, Cisco alerted users that its intrusion prevention technology in its routers could be susceptible to an attack, due to vulnerabilities in its key operating system.

See more CNET content tagged:
Cisco Systems Inc., security flaw, denial of service, vulnerability, Cisco IOS

2 comments

Join the conversation!
Add your comment
jean-sebastien@guay-leroux.com
Fu ck me

jean-sebastien@guay-leroux.com
Posted by thierry.laval (4 comments )
Reply Link Flag
Bug ID
It would be nice to have a bug id or something a little more specific about this. Maybe a link to the patches? This is like saying that a restaurant selling food will make people sick... What restaurant? What food is it?... Crappy analogy but you get the point
Posted by allmyd1ps (1 comment )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.