RealTime IT News

DoS Flaw in Cisco Router, Switches

Cisco has issued an alert for a denial-of-service vulnerability in routers and switches running its Cisco IOS software and configured to process IPv4 packets.

Cisco, which dominate the market for switching and routing equipment used to link networks said a rare sequence of crafted IPv4 packets sent directly to the vulnerable device may cause the input interface to stop processing traffic once the input queue is full.

The flaw, described as "moderately critical" by research firm Secunia, could be compromised without authentication because processing of IPv4 packets is enabled by default. Devices running only IP version 6 (IPv6) are not affected, Cisco said.

On Ethernet interfaces, Cisco said the Address Resolution Protocol (ARP) times out after a default time of four hours causing a blockage of traffic flow. "The device must be rebooted to clear the input queue on the interface, and will not reload without user intervention. The attack may be repeated on all interfaces causing the router to be remotely inaccessible," the company warned.

According to the advisory, a device receiving these specifically crafted IPv4 packets will force the inbound interface to stop processing traffic. "The device may stop processing packets destined to the router, including routing protocol packets and ARP packets. No alarms will be triggered, nor will the router reload to correct itself," the company cautioned, noting that the vulnerability may be exercised repeatedly resulting in loss of availability until a workaround has been applied or the device has been upgraded to a fixed version of code.

Cisco released a patch and workaround for the flaw.

The Computer Emergency Response Team (CERT), in an accompanying advisory, urged network administrators to consider applying access control lists as an additional safeguard until the patch could be applied.

Cisco said it was not aware of any public announcements or malicious use of the vulnerabilities.