US-CERT warns of Cisco product vulnerabilities

The United States Computer Emergency Readiness Team (US-CERT) warned that Cisco Systems’ Internet Operating System (IOS) contains several vulnerabilities that could allow remote attackers to use specially crafted traffic to cause Cisco routers running the software to restart, creating a denial of service attack.

The warning from CERT followed the release of information on three separate vulnerabilities Wednesday: one for Cisco products using Multi Protocol Label Switching (MPLS), a technology for increasing network traffic speed, another for Cisco products running IOS with Internet Protocol Version 6 (IPv6), and the third for products running IOS with Border Gateway Protocol (BGP), a large network routing manager. All three vulnerabilities may have “severe” consequences if they go unfixed, said US-CERT, a division of the U.S. Department of Homeland Security.

Although the vulnerabilities stem from different components of Cisco’s products, they could all eventually result in the affected devices restarting unexpectedly, creating a denial of service, Cisco said.

Cisco announced the vulnerabilities publicly via its Web site Wednesday, and is offering free, patched software for its customers from its online software center, said John Noh, public relations manager at Cisco. “We discovered (the vulnerabilities) through routine testing, we made customers aware of it publicly, and we are now offering fixes,” he said.

Cisco specified the product versions that are affected by the vulnerabilities on its Web site. Affected products running IOS with MPLS capability are: 2600 and 2800 series routers; 3600, 3700 and 3800 series routers; 4500 and 4700 series routers; and 5300, 5350 and 5400 series Access Servers. All products running IOS with IPv6 or BGP are vulnerable.

Cisco was unable to comment on how many customers would be affected by the vulnerabilities, although the company has not reported any cases of the vulnerabilities being exploited as of late Thursday.