Results 1 to 4 of 4

Thread: ***Cisco Security Alert - Buffer Overflow vulnerability in IOS***

  1. #1
    Join Date
    Jun 2003
    Posts
    3,620
    Rep Power
    20

    Exclamation ***Cisco Security Alert - Buffer Overflow vulnerability in IOS***

    The Cisco Internetwork Operating System (IOS) may permit arbitrary code execution after exploitation of a heap-based buffer overflow vulnerability. Cisco has included additional integrity checks in its software, as further described below, that are intended to reduce the likelihood of arbitrary code execution.

    Cisco has made free software available that includes the additional integrity checks for affected customers.

    This advisory is posted at http://www.cisco.com/warp/public/707...2-timers.shtml.

    Cisco is not aware of any active exploitation of this vulnerability. This advisory documents changes to Cisco IOS® as a result of continued research related to the demonstration of the exploit for another vulnerability which occurred in July 2005 at the Black Hat USA Conference. Cisco addressed the IPv6 attack vector used in that demonstration in a separate advisory published on July 29, 2005.
    Network admins need to pay attention to this alert.

  2. #2
    Join Date
    Aug 2002
    Posts
    1,257
    Rep Power
    0

    Default

    This is Potentially a huge project depending on the number and complexity of configuration present on routers.
    If all fails please Net Admins have a backup copy of running-config prior to upgrade.
    I dont need to know everything, I just need to know where to find the answer...Einstein

    Omar O Thompson (CISA, CCSP, CCDA, CCNA, NCDS(CS1000), LPIC-1, Linux+)

  3. #3
    Join Date
    Feb 2005
    Posts
    390
    Rep Power
    0

    Default

    Quote Originally Posted by tech_guru
    If all fails please Net Admins have a backup copy of running-config prior to upgrade.
    Amen to that.


    I have some routers (a lot) that are not on the internet side and I think I'll wait before I upgrade.

  4. #4
    Join Date
    Sep 2003
    Posts
    2,849
    Rep Power
    0

    Default

    Remember over the summer when Cisco freaked out over a security researcher who revealed a pretty major vulnerability in the software that runs a lot of Cisco equipment? We already discussed how the move backfired badly by only calling much more attention to the vulnerability -- but also to the researcher, Michael Lynn himself. He lost his job at a security firm over the flap, but it appears the notoriety probably helped him find another one without too much trouble. He's now working at Juniper, a major Cisco rival. Does Cisco get the referral bonus for recommending him? Update: Oh and, by the way, it was only this week that Cisco finally patched the real problem Lynn was discussing. Update: Updated to make clear that Lynn worked at a security firm, since some felt I implied he worked at Cisco.
    http://techdirt.com/articles/20051104/1518205_F.shtml
    starry heavens above and the moral law within
    Open source!
    dmitridawkins.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •