Problems continue to crop up within older versions of the software that runs in various networking devices sold by Cisco Systems.
Two months after the company released a patch to fix a problem that could potentially crash nearly all variations of Cisco's routing devices, another breach that could allow a wayward user to access sensitive data has been discovered by a Cisco customer in a lab setting, forcing additional fixes.
Cisco said the two bug issues are unrelated, though they both concern older versions of the company's Internetworking Operating System (IOS), essentially the "engine" that runs the company's routing and switching hardware.
The existence of the bugs is significant because Cisco's routing devices and accompanying IOS software are the dominant means for sending traffic across the Net, with the company holding about 70 percent of the market for such equipment.
Cisco has said there have been no reports of "malicious exploitation" of the software hole. A notice concerning the bug has been posted on Cisco's Web site describing how to obtain a patch.
"We have no reports of customers being victimized by this vulnerability," said Roger Farnsworth, manager of security solutions marketing at the company.
The glitch affects IOS versions 9.1 and later. The latest releases of version 11.0 through 11.3 have the fix included.
Hardware running the older versions of IOS may include most router series, recent versions of the LightStream 1010 asynchronous transfer mode (ATM) switch, recent versions of the Catalyst 2900XL local area switch, and Cisco's Distributed Director.
The bug works in this fashion: A wayward user can connect to a Cisco device and gain access to random text fragments from transmissions to and from the equipment, fragments that could include passwords. The user would not need to log-in to gain access to the device, but would need only to respond with a sequence of characters to a prompt from IOS.
The hole will not allow a user to access the contents of data packets forwarded by IOS, according to executives.
Cisco executives said that only an improperly configured network could expose this hole. "In a properly configured network, it would have little or no impact," Farnsworth said.