In its second Patch Wednesday under its new six-monthly patch schedule for IOS Cisco yesterday plugged 11 security holes in its network operating system, as well as addressing a vulnerability in Cisco Unified Communications Manager. The IOS vulnerabilities affect IOS running protocol-independent multicast, SIP, MPLS, SSL, and more.
Cisco says two crafted Protocol Independent Multicast (PIM) packet vulnerabilities exist in Cisco IOS software that may lead to a denial-of-service (DoS) attack. Cisco has released free software updates as well as published workarounds for this problem. In addition to the problem affecting IOS configured for PIM, Cisco 12000 Series (GSR) routers running Cisco IOS Software have a second vulnerability related to a crafted PIM packet, according to Cisco in its advisory about the issue.
Cisco has released patches to plug multiple vulnerabilities that affect the Session Initiation Protocol (SIP) implementation in IOS that can be exploited remotely to trigger a memory leak or to cause a reload of the IOS device. There are no workarounds for this problem other than disabling the protocol or feature itself, says Cisco in its advisory about this issue.
IOS Multi Protocol Label Switching (MPLS) Forwarding Infrastructure (MFI) is vulnerable to DoS attacks from specially crafted packets, according to Cisco. Only the MFI is affected by this vulnerability, while the older Label Forwarding Information Base (LFIB) implementation, which is replaced by MFI, is not affected, Cisco notes in its advisory about this problem. Free software upgrades are available from Cisco to address this hole. Disabling MPLS could limit exposure to the problem but this action would not be possible in sites that require MPLS in use, Cisco says.
Cisco also warned that an IOS device could crash during the termination of an SSL-based session. The offending packet is not malformed and is normally received as part of the packet exchange, says Cisco. Free patches are available in Cisco's security advisory about this problem, though no workarounds are available.
A hole in IOS' implementation of Layer 2 Tunneling Protocol (L2TP) could result in a reload of the device when processing a specially crafted L2TP packet, reports Cisco. According to Cisco, several features enable the L2TP mgmt daemon process within IOS, including but not limited to Layer 2 virtual private networks (L2VPN), Layer 2 Tunnel Protocol Version 3 (L2TPv3), Stack Group Bidding Protocol (SGBP) and Cisco Virtual Private Dial-Up Networks (VPDN). Once this process is enabled the device is at risk, Cisco says. Software patches are available to address this, as are workarounds.
Hackers could gain control of Cisco uBR10012 series devices because they automatically enable SNMP read/write access to the device if configured for linecard redundancy, Cisco reports. Patches and workarounds are available to mitigate this problem which only affects devices that are configured for linecard redundancy.