Cisco Discloses Critical IPS Vulnerability

The vulnerability stops the intrusion prevention system from processing packets, producing alerts, or performing automated actions such as logging. It also renders the IPS inaccessible both remotely and via the console.

David Greenfield, Technology Writer

July 13, 2006

2 Min Read

Cisco yesterday announced yet another vulnerability, this time in the company's Intrusion Prevention System (IPS). The news comes on the same day that Cisco announced vulnerabilities in Cisco Unified CallManager (CUCM) 5.0 , and the Cisco Router Web Setup (CRWS) application .

According to the Cisco Security Advisory, the vulnerability exists in the custom device driver used with the IPS's Intel-based gigabit network adapters. A malformed IP packet received on such an adapter may cause the IPS to stop processing packets, producing alerts, performing automated actions such as logging, and to become inaccessible remotely or via the console.

The Advisory further notes that when deployed as an inline device, the IPS will also stop forwarding packets between interfaces and may cause a network outage. IPS devices configured to use the auto-bypass feature will also fail to forward packets. Attackers may use this vulnerability to disable an IPS device to hide malicious activity.

This vulnerability only affects certain IPS devices when configured to use Intel-based gigabit network adapters as sensing interfaces, not as a management interface. A power reset is required to recover the IPS device. There are no workarounds, however Cisco says it has made free software available to address these vulnerabilities for affected customers.

Some users downplayed the risks posed by these threats. "No one in their right mind would implement an IP-voice solution that was exposed directly to the Internet, or for that matter, even internal users," Ethan Simmons, a partner at Boston-based solution provider NetTeks told CRN magazine.

But that won't provide much assurance to many companies. "Yeah, and 'it's behind the firewall, it's safe' was the cry of the 90s too. We saw how well that worked, " says security expert, Donald W. MacVittie. MacVittie is the senior technology editor of security for NetworkingPipeline's sister publication, Network Computing Magazine. "Changing a host name is a trivial procedure if you have the tools," he adds.

"These are real threats with potentially serious consequences," he concludes. "For a malicious hacker, to be able to drop an IPS/IDS with a single packet? Oh heck yeah, that gets the corporate police off of my back until they figure out what happened and reboot."

About the Author(s)

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights