Cisco Warns Of IOS Security Flaw - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Cisco Warns Of IOS Security Flaw

A security flaw in Cisco routers could hand the hardware over to hackers.

Cisco Systems is warning customers of a potentially serious security flaw that could let hackers completely take over any Cisco router.

If exploited, the flaw would let an intruder overcome the authentication mechanism in a router and take control of the device, including the ability to inspect or change its configuration.

Cisco issued a technical advisory about the flaw Wednesday, with a software fix that customers can download to fix the problem. Cisco said that for affected routers, "it is possible, under some circumstances" for hackers to "bypass the authentication and execute any command on the device. In that case, the [hacker] will be able to exercise complete control over the device."

The security flaw is present in Cisco's Internetwork Operating System software, which runs on almost all of Cisco's routers and many of its LAN switches. "Virtually all mainstream Cisco routers and switches running Cisco IOS software are affected by this vulnerability," Cisco said in its advisory. All versions of IOS from release 11.3 and on are affected, according to Cisco.

Specifically, the problem is part of the HTTP server component of IOS and is present on routers or switches that use local authentication database with the HTTP server component activated. Potentially, hackers can send a particular URL to an affected device to bypass its authentication mechanisms and gain complete control of the device.

The "malicious" URLs must follow a specific format, and one URL will not be able to overcome the security of all Cisco devices, Cisco said. Nevertheless, there are only 84 possible combinations for URLs that work, and hackers could easily try them all in short order, according to Cisco.

The security flaw can be fixed by disabling the HTTP component or by using other authentication mechanisms on the devices, according to Cisco.

The Computer Emergency Response Team of Carnegie Mellon University's Software Engineering Institute in Pittsburgh issued its own advisory on the security flaw Thursday. The CERT advisory directs IT managers to Cisco's Web site, where a technical fix is available.

"We are telling customers about the vulnerabilities and that fixes are available," a Cisco spokeswoman said Friday. So far, though, "we have seen no active exploitation of any of the vulnerabilities."

The Cisco advisory can be found at the Cisco Security Advisory: IOS HTTP Authorization Vulnerability

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
2021 Outlook: Tackling Cloud Transformation Choices
Joao-Pierre S. Ruth, Senior Writer,  1/4/2021
Enterprise IT Leaders Face Two Paths to AI
Jessica Davis, Senior Editor, Enterprise Apps,  12/23/2020
10 IT Trends to Watch for in 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/22/2020
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll