Cisco Systems has issued patches over the past two days for vulnerabilities in an IOS authorisation feature and for weakness that might enable a DDoS attack on certain VPN concentrators.
On Wednesday, the company issued a patch to a number of releases of their Internetwork Operating System, covering a vulnerability that would allow users employing the Tcl (Tool Command Language) exec shell to get around the Authentication, Authorization, and Accounting (AAA) command authorisation feature. Users who employed the Tcl exec shell could use that access to execute commands above their privilege level.
A second problem exacerbated the danger presented by the first. If a user on an affected system terminates her or his session without leaving the Tcl Shell mode (by using the tclquit command), that shell process remains active and attached to the virtual type terminal VTY or TTY line. When another authenticated user connects to that device over the same line, he or she will have access to the unterminated Tcl Shell process and might be able to bypass the AAA command authorisation checking.
The vulnerability affects all Cisco products running Cisco IOS version 12.0T or later, if support for the Tcl functionality is enabled and the AAA command authorization feature is enabled as well. It was discovered by security engineers at Colt Telecom and reported to Ciscos Product Security Incident Response Team (PSIRT).
On Thursday, the company addressed a weakness described earlier this month at the SchmooCon conference. That security hole, which affects Cisco VPN 3000 series concentrators running software 4.7.0 through 4.7.2.A, would allow a DDoS attack on an unpatched device. A malicious HTTP packet sent to one of those concentrators could cause it to reload, dropping users' connections as it did so.
Cisco has posted a patch for the problem and advises that workarounds are available as well. According to the company, no known attempt has been made to exploit the security hole.