News Stay informed about the latest enterprise technology news and product updates.

Mounting IOS flaws may boost third-party vendors

A spate of recently discovered security vulnerabilities in the software that runs Cisco's routers and switches has caught the industry's eye, but one expert explains why, for some, IOS flaws could be an opportunity.

Cisco Systems Inc.'s Internetwork Operating System (IOS) has been under fire recently following a series of new security vulnerabilities. Though they pose limited risk to enterprise networks, experts say it's unlikely that they'll pose major problems.

IOS is the software inside the networking giant's routers and newer switches that allows the devices to be configured and managed. During the past few weeks, IOS has been pummeled by a steady stream of security flaws, including the following:

  • Two weeks ago, a Skinny Call Control Protocol vulnerability was discovered that could enable a malicious user to cause a denial-of-service (DoS) attack. Because of the vulnerability, a device running IOS version 12 could be forced to reload a vulnerable network device via a specially crafted control protocol message.

  • A Multiprotocol Label Switching (MPLS) packet processing flaw reported last week also can be exploited to cause a DoS attack. The less critical flaw (according to Secunia) affects only IOS version 12, but support for MPLS does not need to be enabled for successful exploitation to occur.

  • A moderately critical flaw in IOS version 12 can open the door to a DoS attack when a malicious user forces the device to reload specially crafted IPv6 packets. However, a device must be configured to process IPv6 packets to be affected.

  • The most recent vulnerability, published late last week and affecting five different major releases, detailed a fault within the handling of queued Border Gateway Protocol packets when logging a BGP neighbor change. Though deemed less critical by Secunia, malicious users could exploit the problem to cause a DoS attack by sending a specially crafted BGP packet from a configured, trusted peer.

    Cisco spokesman John Noh said all four vulnerabilities were discovered through the vendor's routine testing processes and the company has released patches or offered upgrade options for all affected products.

    The vulnerabilities are unrelated, Noh said, but Cisco chose to distribute information on three of them simultaneously last week so customers would have flexibility in determining their upgrade paths and avoid potentially redundant upgrades.

    Noh said Cisco does not rank IOS vulnerabilities in terms of severity; instead it advises customers to make their own severity determinations based on the information provided in its advisories.

    However, the vulnerabilities highlight how many different ways IOS can be compromised, and calls into question how many as-yet-undiscovered problems may still exist.

    Despite the volume of problems, Zeus Kerravala, vice president with Boston-based research firm Yankee Group, said enterprises shouldn't be alarmed. He said as long as companies are monitoring their networks and watching for potential exploitations, networks are a relatively low risk.

    "When you have a software system that's as widely distributed as IOS, it's going to have bugs," Kerravala said. "I think this is something we'll see consistently moving forward with IOS maturing, but one thing enterprises can do is move to a configuration management system."

    It's common for enterprises to use dozens or even hundreds of different versions of IOS on various devices, as over time Cisco has issued hundreds of subreleases to patch security holes or resolve compatibility issues with network interface cards or IP stacks.

    For more information

    Check out our tip on IOS disaster recovery.

    Learn how you can survive a Cisco IOS flaw.

    Read more articles written by News Editor Eric B. Parizo.

    Jeffrey Posluns, CEO of Montreal-based consultancy SecuritySage Inc., said the differences between IOS versions are actually quite subtle and largely intended to make the product line more attractive from a sales perspective.

    For instance, Posluns said Cisco uses the same code base on many of its products, but when it makes a small addition, the resulting product is given a new subversion number. That's why many subversions are often affected by the same problem.

    Since upgrading IOS can be a tedious process, Kerravala said companies often upgrade devices only when a critical issue mandates it, or when Cisco ends support for a particular version.

    Kerravala said because device management has become such a burdensome process, there's an opportunity for third-party configuration management vendors -- such as Intelliden Corp., Voyence Inc. and Rendition Networks, which was recently acquired by Opsware Inc. -- to grow their businesses by making the upgrade process easier.

    Posluns said despite the flaws, IOS is still one of the better network operating systems available today, and that there's no reason to panic. "I wouldn't see this as a reason to change anything in the way that we do things," he said.

    Still, Kerravala said it's unlikely that an enterprise would ever be faced with a network attack that exploits one of the recently announced IOS vulnerabilities, because not only do several specific conditions need to be in place, but also it usually demands knowledge of the inner workings of a network.

    "I'm not going to say it would take a perfect storm to exploit one of the vulnerabilities," said Kerravala, "but I think the fact that Cisco is willing to reveal them shows that they're looking for them and troubleshooting them."

  • Dig Deeper on Network Security Monitoring and Analysis

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.