Cisco patches critical flaw

Cisco has patched a flaw in the software used to run its routers and switches, in the latest twist in the company's dispute with a security researcher.

The networking giant on Wednesday released an update to fix a serious so-called heap-overflow vulnerability in its Internetwork Operating System, or IOS. This type of security flaw is commonly found in software and often allows a remote attacker to gain control of the affected system. In this case, that would mean control over a Cisco router or switch, which make up the infrastructure of many computer networks, including the Internet.

The newly disclosed flaw in IOS was part of a controversial presentation at the Black Hat security confab in July, but Cisco has been able to keep it under wraps until now.

At Black Hat, security researcher Michael Lynn demonstrated how he could gain control over a router by exploiting security flaws. A widespread attack could seriously disrupt or shut down parts of the internet or a corporate network, he said. IOS had been perceived as impervious to such attacks and Cisco fought Lynn's disclosure by going to court.

A Cisco spokesman said: "Through the IPv6 vulnerability disclosed in July, he was able to achieve a heap-overflow attack on system timers." That flaw, which Cisco provided a fix for in April, was Lynn's way to trigger the heap overflow and commandeer the router.

Cisco in July published details on the IPv6 vulnerability that Lynn exploited in his demonstration, but did not disclose the second, more serious, flaw involved in the attack demonstration until Wednesday. The heap overflow is the actual vulnerability that could let an attacker take over a Cisco router or switch.

The scope of the second flaw explains why Cisco went through great lengths to keep it under wraps, said Johannes Ullrich, chief research officer at the SANS Institute. "These serious flaws show why it was so important for Cisco to hold back on the release at Black Hat," he said. "Early, widespread knowledge of this flaw would have been bad."

Users should update as soon as possible, Ullrich said. This can be a tough task, especially at internet service providers and organisations that run customised configurations. "Too many times in the past, network operators got burned by bad patches and routers not rebooting correctly. It will take a while to have all this worked out," he said.

Joris Evers writes for News.com