Cisco Warns Of IOS Security Flaw - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Cisco Warns Of IOS Security Flaw

A security flaw in Cisco routers could hand the hardware over to hackers.

Cisco Systems is warning customers of a potentially serious security flaw that could let hackers completely take over any Cisco router.

If exploited, the flaw would let an intruder overcome the authentication mechanism in a router and take control of the device, including the ability to inspect or change its configuration.

Cisco issued a technical advisory about the flaw Wednesday, with a software fix that customers can download to fix the problem. Cisco said that for affected routers, "it is possible, under some circumstances" for hackers to "bypass the authentication and execute any command on the device. In that case, the [hacker] will be able to exercise complete control over the device."

The security flaw is present in Cisco's Internetwork Operating System software, which runs on almost all of Cisco's routers and many of its LAN switches. "Virtually all mainstream Cisco routers and switches running Cisco IOS software are affected by this vulnerability," Cisco said in its advisory. All versions of IOS from release 11.3 and on are affected, according to Cisco.

Specifically, the problem is part of the HTTP server component of IOS and is present on routers or switches that use local authentication database with the HTTP server component activated. Potentially, hackers can send a particular URL to an affected device to bypass its authentication mechanisms and gain complete control of the device.

The "malicious" URLs must follow a specific format, and one URL will not be able to overcome the security of all Cisco devices, Cisco said. Nevertheless, there are only 84 possible combinations for URLs that work, and hackers could easily try them all in short order, according to Cisco.

The security flaw can be fixed by disabling the HTTP component or by using other authentication mechanisms on the devices, according to Cisco.

The Computer Emergency Response Team of Carnegie Mellon University's Software Engineering Institute in Pittsburgh issued its own advisory on the security flaw Thursday. The CERT advisory directs IT managers to Cisco's Web site, where a technical fix is available.

"We are telling customers about the vulnerabilities and that fixes are available," a Cisco spokeswoman said Friday. So far, though, "we have seen no active exploitation of any of the vulnerabilities."

The Cisco advisory can be found at the Cisco Security Advisory: IOS HTTP Authorization Vulnerability

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Becoming a Self-Taught Cybersecurity Pro
Jessica Davis, Senior Editor, Enterprise Apps,  6/9/2021
Ancestry's DevOps Strategy to Control Its CI/CD Pipeline
Joao-Pierre S. Ruth, Senior Writer,  6/4/2021
IT Leadership: 10 Ways to Unleash Enterprise Innovation
Lisa Morgan, Freelance Writer,  6/8/2021
Register for InformationWeek Newsletters
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll