Just a few weeks after they announced they were moving to a biannual patch cycle, Cisco has released five updates for their IOS software in the fist of two patches this year. Secunia and Cisco rate the updates as moderately critical and advise administrators to apply them as soon as possible.
Cisco has released five updates for their IOS software in the fist of two patches this year.
The vulnerabilities reported in IOS can lead to Denial-of-Service, information disclosure, or data manipulation. There is a memory leak in the handling of completed PPTP sessions, which if exploited will exhaust the systems memory. Another problem with PPTP exists in the handling of sessions when virtual access interfaces are not removed from the interface descriptor block (IDB) and are not reused. This can result in the exhaustion of the IDB limit. Both of the PPTP errors exist in IOS versions earlier than 12.3.
Other fixes include errors in the Data-Link-Switching (DLSw) feature when processing UDP and IP protocol 91 packets. This can be exploited to cause a reload of the system or a memory leak. Also, there were issues in IPv6 packet processing, which can be exploited to prevent the interface from receiving additional traffic, or to cause the device to crash if RSVP service is configured on the interface.
Finally, there is an error in Multicast Virtual Private Networks (MVPN), which can be exploited to create extra multicast states on the core routers via specially crafted Multicast Distribution Tree (MDT) Data Join messages. This can also be exploited to receive multicast traffic from VPNs that are not connected to the same Provider Edge (PE).
More information, as well as all patches is here:http://www.cisco.com/warp/public/707/cisco-sa-20080326-bundle.shtml
There are currently no comments for this article. Be the first to comment!
Advertising
There are currently no comments for this article. Be the first to comment!