Cisco finds more security flaws in router software

The company reports three more vulnerabilities in certain versions of its routing software.

Marguerite Reardon Former senior reporter
Marguerite Reardon started as a CNET News reporter in 2004, covering cellphone services, broadband, citywide Wi-Fi, the Net neutrality debate and the consolidation of the phone companies.
Marguerite Reardon
2 min read
Cisco Systems on Wednesday announced it has uncovered three more security flaws in its routing software that could allow denial-of-service attacks.

Just last week, Cisco posted a notice on its Web site warning users that routers connected to its IP telephony gear could be vulnerable to denial-of-service attacks. The attacks involve floods of data packets forcing routers to constantly reload and reboot, which can keep legitimate users from accessing an overburdened Web site. Cisco has already posted a fix to last week's problem.

The vulnerabilities disclosed Wednesday are found in certain versions of Cisco's Internetwork Operating Software (IOS) software, and they also can cause denial-of-service attacks. The company has made fixes and free software upgrades available on its site.

The most potentially serious flaw is one that deals with Cisco IP routers running the Border Gateway Protocol (BGP). This protocol, a language for routers in large networks to exchange information about each other, is widely used by carriers and Internet service providers.

According to Cisco's Web site, only routers configured with the command "bgp log-neighbor-changes" are vulnerable. Cisco said that this command is turned on by default on certain releases of IOS software.

A second flaw affects several versions of Cisco's lower-end routers that run the Multiprotocol Label Switching (MPLS) protocol. Vulnerable products include the Cisco 2600, 2800, 3600, 3700, 3800, 4500 and 4700 series routers and the 5300, 5350 and 5400 series Access Servers.

Cisco's high-end routers, such as the 7200, 7500 and 12000 series routers--used by telephone operators and Internet service providers to shuttle traffic across the Net--are not affected, Cisco said. The company's popular Catalyst Ethernet switches are also not impacted.

The final, and probably least serious, of the new flaws affects routers running Internet Protocol version 6. IPv6 has been designed to replace the current Internet Protocol version, IPv4. This vulnerability can only be exploited when a router is configured to process IPv6 packets, Cisco said. Because most routers on the Internet today still use IPv4, the security flaw will probably not cause any serious security problems.

One analyst said these security warnings are not much to worry about and should be considered a natural course of business. Companies across the technology landscape from Apple Computer to Microsoft to Oracle are constantly updating customers about newly identified security vulnerabilities.

"Operating systems are always evolving," said Kevin Mitchell, an analyst with Infonetics Research. "Features are constantly being added. People pay attention to Cisco's reported flaws more closely because the company has such a huge installed base."