Security Experts:

Cisco Fixes DoS Vulnerabilities in IOS Software

Cisco has released security updates to address a total of 16 vulnerabilities affecting Cisco IOS and IOS XE software.

Cisco IOS is an operating system that runs on most Cisco routers and current switches, and functionality for routing, switching, internetworking and telecommunications.

Cisco has detailed the patched vulnerabilities in a total of seven advisories. The flaws affect components such as Autonomic Network Infrastructure (ANI), Common Industrial Protocol (CIP), multicast Domain Name System (mDNS), TCP, Virtual Routing and Forwarding (VRF), Internet Key Exchange version 2 (IKEv2), and Cisco IOS XE software.

The ANI intelligent automatic device management feature is plagued by a total of three denial-of-service (DoS) vulnerabilities related to Autonomic Networking Registration Authority spoofing (CVE-2015-0635), Autonomic Networking (AN) node spoofing using crafted AN messages (CVE-2015-0636), and targeted device reloading using specially crafted AN messages (CVE-2015-0637).

The vulnerabilities, which affect Cisco IOS and IOS XE software, can be exploited by a remote, unauthenticated attacker to trigger a DoS condition on the targeted system, Cisco said in an advisory.

An attacker can also cause a DoS condition (CVE-2015-0638) on routers and switches configured to perform virtual routing and forwarding (VRF).

“The vulnerability is due to a failure to properly process malicious ICMP version 4 (ICMPv4) messages received on a VRF-enabled interface. An attacker could exploit this vulnerability by submitting ICMPv4 messages designed to trigger the vulnerability on an affected device,” Cisco said in a separate advisory. “When the ICMPv4 messages are processed, the packet queue of the affected interface may not be cleared, leading to a queue wedge. When a wedge occurs, the affected device will stop processing any additional packets received on the wedged interface.”

A different security hole in Cisco IOS and IOS XE is caused by the improper handling of certain packet sequences used in establishing a TCP three-way handshake ( CVE-2015-0646). An attacker can leverage the flaw to cause a memory leak and reload affected devices. Repeated exploitation attempts can lead to a sustained DoS condition, Cisco noted.

A malicious actor can also cause a DoS condition on devices running IOS and IOS XE software by sending malformed IPv4 and IPv6 packets on UDP port 5353. The bug is caused by improper validation of multicast DNS (mDNS) packets by the mDNS gateway function (CVE-2015-0650).

Vulnerabilities in the Internet Key Exchange (IKE) version 2 protocol, which is used in the IP Security protocol suite to negotiate cryptographic attributes, can be exploited to trigger a DoS condition due to the way certain malformed IKEv2 packets are processed (CVE-2015-0642, CVE-2015-0643).

Cisco 1000 series Aggregation Services Routers (ASR), Cisco 4400 series Integrated Services Routers (ISR), and Cisco 1000v series Cloud Services Routers (CSR) running Cisco IOS XE are plagued by four DoS and one remote code execution vulnerability. The following CVE identifiers have been assigned to these bugs: CVE-2015-0640, CVE-2015-0644, CVE-2015-0641, CVE-2015-0645 and CVE-2015-0639.

Finally, a total of three vulnerabilities that can be exploited for DoS attacks have been identified in the Cisco IOS software implementation of the Common Industrial Protocol (CIP) feature (CVE-2015-0649, CVE-2015-0648, CVE-2015-0647).

Cisco says there is no evidence to suggest that any of these vulnerabilities have been exploited in the wild.

The company discloses IOS vulnerabilities twice per year, on the fourth Wednesday of March and September. Customers who want to easily determine which updates they must apply in order to fix these security holes can use the Cisco IOS Software Checker. The tool does not support Cisco IOS XE software.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.