Cisco released three security advisories on Wednesday for severe vulnerabilities in its Internetwork Operating System software (IOS), the most serious of which could allow remote arbitrary code execution.
The first hole allows remote execution of arbitrary code when a crafted IP packet meets a number of conditions. The second vulnerability can be exploited by a crafted TCP packet, causing memory leakage until memory exhaustion causes denial of service. And the third is a remotely exploitable flaw in IPv6 Type 0 Routing header handling.
Experts told security professionals to pay close attention to the vulnerability notes included in each advisory, which include directions for fixes and workarounds that might not be to IT professionals' liking
“Anytime Cisco announces a security vulnerability that affects such a dizzying array of devices, enterprises and ISPs should take note,” said Andrew Storms, director of security operations for nCircle. “The mitigating solutions provided by Cisco are likely to be either unpalatable or unacceptable to many organizations, leaving them with a difficult risk equation - risk the external threat or risk affecting operational uptime."
Storms warned that some of Cisco’s suggestions require shutting off functionality.
Click here to email West Coast Bureau Chief Ericka Chickowski.