Cisco has warned customers about two critical security holes that affect almost every product the company makes. The vulnerabilities could be used by malicious hackers to create denial of service attacks, causing Cisco products to abruptly restart or drop active connections with other devices.
Cisco issued advisories yesterday, revealing the impact on the company's products of a security hole in TCP and another serious vulnerability in company's Internetwork Operating System (IOS) that affects the Simple Network Management Protocol (SNMP). The advisories are just the latest in a string of security warnings from the San Jose, California, networking equipment maker.
Following warnings yesterday from the National Infrastructure Security Co-Ordination Centre (NISCC) and the US Computer Emergency Readiness Team (US-CERT), Cisco issued two advisories regarding a security vulnerability in the standard implementation of TCP.
Cisco is just one of a large number of software and hardware makers that are affected by the TCP hole.
In one advisory, Cisco published software updates for more than 47 of the company's products that contain the TCP vulnerability but do not use the IOS operating system.
Cisco issued a separate advisory listing updates for scores of versions of the IOS operating system that are also affected by the TCP hole and provided workaround instructions for customers who are unable to update their operating system.
In a third advisory, Cisco said that it patched a flaw in the way certain versions of IOS process SNMP traffic. The software vulnerability, which was introduced by a coding error to fix an earlier IOS problem, could cause memory on the Cisco devices running IOS to be corrupted, forcing the affected device to restart unexpectedly, Cisco said.
The company said it fixed the SNMP problem and published information on updating IOS with new versions of the operating system.
US-CERT also issued a warning about the Cisco SNMP hole and advised Cisco customers to upgrade their devices that use affected versions of IOS.
The warnings are just the latest from Cisco, which has disclosed a number of serious vulnerabilities in recent weeks, including a hole in Cisco VPN (virtual private network) hardware and software and in two products used to manage wireless LANs and e-business services in corporate data centers.
It also warned of a simple hacking toolkit that exploited the holes in its products through a simple point-and-click interface.