Cisco has released security updates that address vulnerabilities in products running Cisco IOS Software and Cisco IOS XE Software.
Users who have devices running vulnerable versions of the software are affected by a SSH version 2 RSA-based user authentication bypass vulnerability – CVE-2015-6280 – that could be exploited by an unauthenticated, remote attacker, an advisory explained.
“Successful exploitation could allow the attacker to log in with the privileges of the user or the privileges configured for the Virtual Teletype (VTY) line,” the advisory said. “Depending on the configuration of the user and of the vty line, the attacker may obtain administrative privileges on the system.”
The vulnerability is the result of a flaw in the implementation of the SSHv2 public key authentication method. An attacker can exploit the bug so long as they know a valid username configured for RSA-based user authentication and the public key configured for that user.
Affected versions of Cisco IOS Software and IOS XE Software are additionally vulnerable to two IPv6 first hop security denial-of-service bugs – CVE-2015-6278 and CVE-2015-6279 – that can be exploited by an unauthenticated, remote attacker to cause an impacted device to reload, a second advisory explained.
The CVE-2015-6279 vulnerability is the result of insufficient validation of IPv6 ND packets that use the Cryptographically Generated Address (CGA) option, and it can be exploited by sending a malformed packet to an affected device that has the IPv6 Snooping feature is enabled.
“The [CVE-2015-6278] vulnerability is due to insufficient Control Plane Protection (CPPr) against specific IPv6 ND packets,” the advisory said. “An attacker could exploit this vulnerability by sending a flood of traffic consisting of specific IPv6 ND packets to an affected device where the IPv6 snooping feature is configured.”
Vulnerable versions of Cisco IOS XE Software are affected by a network address translation denial-of-service vulnerability – CVE-2015-6282 – that can be exploited by an unauthenticated, remote attacker to cause an affected device to reload, a third advisory said.
The bug exists in the processing of IPv4 packets that require Network Address Translation (NAT) and Multiprotocol Label Switching (MPLS) services of Cisco IOS XE Software for Cisco ASR 1000 Series, Cisco ISR 4300 Series, Cisco ISR 4400 Series, and Cisco Cloud Services 1000v Series routers.
“The vulnerability is due to improper processing of IPv4 packets that require NAT and MPLS processing,” the advisory said. “An attacker could exploit this vulnerability by sending an IPv4 packet to be processed by a Cisco IOS XE device configured to perform NAT and MPLS services.”
The Cisco Product Security Incident Response Team is not aware of any public announcements or malicious use of any aforementioned vulnerabilities.