Cisco Warns Of IOS Security Flaw - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
News

Cisco Warns Of IOS Security Flaw

A security flaw in Cisco routers could hand the hardware over to hackers.

Cisco Systems is warning customers of a potentially serious security flaw that could let hackers completely take over any Cisco router.

If exploited, the flaw would let an intruder overcome the authentication mechanism in a router and take control of the device, including the ability to inspect or change its configuration.

Cisco issued a technical advisory about the flaw Wednesday, with a software fix that customers can download to fix the problem. Cisco said that for affected routers, "it is possible, under some circumstances" for hackers to "bypass the authentication and execute any command on the device. In that case, the [hacker] will be able to exercise complete control over the device."

The security flaw is present in Cisco's Internetwork Operating System software, which runs on almost all of Cisco's routers and many of its LAN switches. "Virtually all mainstream Cisco routers and switches running Cisco IOS software are affected by this vulnerability," Cisco said in its advisory. All versions of IOS from release 11.3 and on are affected, according to Cisco.

Specifically, the problem is part of the HTTP server component of IOS and is present on routers or switches that use local authentication database with the HTTP server component activated. Potentially, hackers can send a particular URL to an affected device to bypass its authentication mechanisms and gain complete control of the device.

The "malicious" URLs must follow a specific format, and one URL will not be able to overcome the security of all Cisco devices, Cisco said. Nevertheless, there are only 84 possible combinations for URLs that work, and hackers could easily try them all in short order, according to Cisco.

The security flaw can be fixed by disabling the HTTP component or by using other authentication mechanisms on the devices, according to Cisco.

The Computer Emergency Response Team of Carnegie Mellon University's Software Engineering Institute in Pittsburgh issued its own advisory on the security flaw Thursday. The CERT advisory directs IT managers to Cisco's Web site, where a technical fix is available.

"We are telling customers about the vulnerabilities and that fixes are available," a Cisco spokeswoman said Friday. So far, though, "we have seen no active exploitation of any of the vulnerabilities."

The Cisco advisory can be found at the Cisco Security Advisory: IOS HTTP Authorization Vulnerability

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
News
The State of Chatbots: Pandemic Edition
Jessica Davis, Senior Editor, Enterprise Apps,  9/10/2020
Commentary
Deloitte on Cloud, the Edge, and Enterprise Expectations
Joao-Pierre S. Ruth, Senior Writer,  9/14/2020
Slideshows
Data Science: How the Pandemic Has Affected 10 Popular Jobs
Cynthia Harvey, Freelance Journalist, InformationWeek,  9/9/2020
Register for InformationWeek Newsletters
Video
Current Issue
IT Automation Transforms Network Management
In this special report we will examine the layers of automation and orchestration in IT operations, and how they can provide high availability and greater scale for modern applications and business demands.
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll