Cisco Warns Of IOS Security Flaw - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Cisco Warns Of IOS Security Flaw

A security flaw in Cisco routers could hand the hardware over to hackers.

Cisco Systems is warning customers of a potentially serious security flaw that could let hackers completely take over any Cisco router.

If exploited, the flaw would let an intruder overcome the authentication mechanism in a router and take control of the device, including the ability to inspect or change its configuration.

Cisco issued a technical advisory about the flaw Wednesday, with a software fix that customers can download to fix the problem. Cisco said that for affected routers, "it is possible, under some circumstances" for hackers to "bypass the authentication and execute any command on the device. In that case, the [hacker] will be able to exercise complete control over the device."

The security flaw is present in Cisco's Internetwork Operating System software, which runs on almost all of Cisco's routers and many of its LAN switches. "Virtually all mainstream Cisco routers and switches running Cisco IOS software are affected by this vulnerability," Cisco said in its advisory. All versions of IOS from release 11.3 and on are affected, according to Cisco.

Specifically, the problem is part of the HTTP server component of IOS and is present on routers or switches that use local authentication database with the HTTP server component activated. Potentially, hackers can send a particular URL to an affected device to bypass its authentication mechanisms and gain complete control of the device.

The "malicious" URLs must follow a specific format, and one URL will not be able to overcome the security of all Cisco devices, Cisco said. Nevertheless, there are only 84 possible combinations for URLs that work, and hackers could easily try them all in short order, according to Cisco.

The security flaw can be fixed by disabling the HTTP component or by using other authentication mechanisms on the devices, according to Cisco.

The Computer Emergency Response Team of Carnegie Mellon University's Software Engineering Institute in Pittsburgh issued its own advisory on the security flaw Thursday. The CERT advisory directs IT managers to Cisco's Web site, where a technical fix is available.

"We are telling customers about the vulnerabilities and that fixes are available," a Cisco spokeswoman said Friday. So far, though, "we have seen no active exploitation of any of the vulnerabilities."

The Cisco advisory can be found at the Cisco Security Advisory: IOS HTTP Authorization Vulnerability

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
What Becomes of CFOs During Digital Transformation?
Joao-Pierre S. Ruth, Senior Writer,  2/4/2020
Fighting the Coronavirus with Analytics and GIS
Jessica Davis, Senior Editor, Enterprise Apps,  2/3/2020
IT Careers: 10 Job Skills in High Demand This Year
Cynthia Harvey, Freelance Journalist, InformationWeek,  2/3/2020
Register for InformationWeek Newsletters
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll