Cisco has issued three new security advisories warning concerning potential vulnerabilities in some IOS-based products and wireless LAN gear.
The most critical IOS hole, tied to exploits revealed during the controversial IOS hacking presentation made at this summer’s Black Hat USA Conference, could result in “remote-code execution” — or attackers using a Cisco router to run whatever programs or software code they choose.
The WLAN issue involves an integration problem between Cisco access points and WLAN access point controllers from Airespace, which Cisco acquired in January. This bug could result in someone using a Cisco access point to launch attacks on a secured WLAN.
A third problem involves a communication glitch between IOS routers running intrustion-prevention system features and security management software, which could result in malicious traffic slipping into a network.
The IOS flaw has to do with system timers that IOS uses to run certain operating system tasks. Under certain conditions, attackers may be able to take control of a router by tricking system timers to run malicious code, Cisco says.
The IOS glitch was discovered “as a result of continued research related to the demonstration of the exploit for another vulnerability which occurred in July 2005 at the Black Hat USA Conference,” Cisco’s security advisory states. This exploit was revealed by former ISS security researcher Michael Lynn, after his employer and Cisco cancelled the presentation at the conference. Cisco obtained a court order preventing Lynn from talking about the flaw.
The flaw in IOS allows routers running IPv6 to be tricked into running outside code. In the latest related vulnerability, attackers would need to take advantage of both the earlier IPv6 problem and the system-timer bug just disclosed, says John Noh, a Cisco spokesman. “In order to exploit the issue we’re talking about today, you need an additional way to attack,” he says.
The WLAN glitch could affect users deploying Cisco access points that are controlled by Airespace WLAN controller products. In such a set-up, the Airespace controller would provide security, authentication and network management control for the access points, which operate as radios.The products involved include Cisco 1200, 1131 and 1240 series access points running Lightweight Access Point Protocol (LWAPP), and Cisco 2000 and 4400 series Airespace wireless WLAN controllers. An attacker could use the Airespace-controlled access points as a springboard for sending malicious traffic into an organisation’s secured WLAN.
Cisco says customers using Airespace controllers to manage Cisco access points could switch the access points from LWAPP mode to “autonomous” mode, which would close this vulnerability. In autonomous mode, access points act as stand-alone end-points which must be configured individually. Users also can upgrade the software on the Airespace WLAN controller, which will fix the problem.
The third security notice Cisco issued this week involves IOS-based routers running intrusion-prevention system (IPS) features, which are configured via Cisco VPN/Security Management Solution software and Cisco Management Centre for IPS Sensors.
In some cases, IPS signatures could be sent from management software to a router, but not enabled. This could allow malicious traffic to pass through the router, even though IPS services appear to be running normally.