Chemical Safety Incidents
Cisco Patches IOS-XE Vulnerability
Friday, July 31, 2015 @ 02:07 PM gHale
Cisco patched a bad error message vulnerability that could lead IOS-XE versions prior to 3.13S to a remote denial-of-service (DoS) attack.
The company’s threat advisory said the exploit came to Cisco’s attention by an independent researcher.
IOS XE is a Linux daemon version of the Borg’s operating system that abstracts routing functions away from platform-specific interfaces.
Cisco’s patch focuses on how the daemon triggers error messages for packets it can’t reassemble. “When an affected device fails to successfully perform reassembly, instead of silently dropping the fragments, the ATTN-3-SYNC_TIMEOUT error message may be triggered,” it said in its advisory.
The resulting consumption of CPU resources could cause queued processes to halt, Cisco said. “An attacker could trigger this vulnerability by sending a series of IPv4 or IPv6 fragments, that are designed to trigger the error message, directly to the affected device.”
IOS-XE users need to contact Cisco for an update.