Cisco Rolls Major Patches to TCP Flaw

By Ryan Naraine

April 21, 2004

Switches, routers, intrusion detection systems and VoIP phones are on the list needing patches to TCP flaw.

Routing and switching giant Cisco said a security flaw in the Transmission Control Protocol (TCP) specification that could lead to major disruption of the Internet is also a potential threat to its product lines and needs to be addressed.

Cisco issued a blanket advisory Wednesday, warning that new information on the existing TCP flaw affected all products that contain a TCP stack.

The Cisco alert included a long list of affected products, including non-IOS based switches, routers, content delivery managers, intrusion detection systems, VoIP phones and wireless access points.

"The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered," Cisco warned.

The TCP flaw, first reported in 2001, could lead to a shutdown of parts of the Internet. According to the CERT Coordination Center (CERT/CC), new information on the vulnerability suggest an attacker could crash vulnerable products that rely on TCP in a much shorter time than previously established.

The CERT/CC advisory included a firm warning that routers that support the Border Gateway Protocol (BGP) are considered high risk. The impact of this vulnerability varies by vendor and application but in some deployment scenarios, it is considered critical.

In Cisco's case, the flaw could cause widespread disruption for customers using non-IOS products. The company issued separate advisories for products that do not run IOS software.

The latest alerts come on the heels of a more recent confirmation from Cisco that some of its VoIP products that use the H.323 protocol could lead to security problems. Earlier this year, Cisco released patches to plug the flaw, confirming that all products that run the Cisco IOS software and support H.323 packet processing are affected, including devices configured for Session Initiation Protocol (SIP) or Media Gateway Control Protocol (MGCP).

Affected products included the Cisco IOS 11.3T and later versions; Cisco CallManager versions 3.0 through 3.3; Cisco Conference Connection (CCC); Cisco Internet Service Node (ISN); Cisco BTS 10200 Softswitch; Cisco 7905 IP Phone H.323 Software Version 1.00 and the Cisco ATA 18x series products running H.323/SIP loads with versions earlier than 2.16.1.

Separately, Cisco warned of a denial-of-service bug in the Cisco IOS 12.x and Cisco IOS R12.x products. That ale rt included a warning that an error within the processing of solicited SNMP requests could be exploited to crash unpatched systems.

Cisco said an attacker could exploited by sending a SNMP request with a solicited operation to a vulnerable device on port 162/UDP or the random SNMP UDP high port. "Successful exploitation causes the device to reload."

For Cisco, the security issues could become a public relations humbug. In recent times, the company made a splash in the integrated security space, rolling out products and services in areas like security management, virtual private networks and threat protection.

Cisco has also rolled out anti-virus offerings and made security-related acquisitions to beef up its security product line.



Comment and Contribute
(Maximum characters: 1200). You have
characters left.