Security firm Secunia has labeled the vulnerabilities highly critical. IOS is Cisco’s embedded operating system that runs on Cisco
routers and switches that are widely deployed on a global basis. If exploited, the vulnerabilities in IOS could potentially lead to a denial of service (DoS) attack or arbitrary code execution.
One of the flaws may have allowed an attacker to exploit IOS by way of a specially crafted IP packet. Cisco notes in its advisory that it discovered the flaw during internal testing.
A memory leak condition in how IOS handles TCP packets could also
potentially have been exploited leading to a degradation of service or a
full-fledged DoS attack. According to Cisco, this
vulnerability only applies to traffic destined to the Cisco IOS device.
Traffic-transiting the Cisco IOS device will not trigger this vulnerability.
“Because devices running IOS may transmit traffic for a number of other
networks, the secondary impacts of a denial of service may be severe,”
said US-Cert in its alert.
The third flaw reported by Cisco involves a mal-crafted IPv6 packet that
could potentially crash IOS. Cisco notes in its advisory that it was initially reported by a customer and a further trigger vector was discovered during developing the fix for this vulnerability.
Cisco is providing fixes to its customers for all of the reported issues.