It seem like Cisco has rapidly become one of my favorite things to talk about on this blog. Cisco shipped 3 security updates today for a variety of problems. The worst problem, if taken advantage of, could stop a router from passing traffic and could have the potential for code execution. This isn’t good, in fact it’s bad. This should make network engineers who live in Cisco only shops very afraid. Diversify your solutions; it’s the only way to make a survivable network these days.
Errata customers should have access to the briefs on the vulnerabilities with full HEVs coming soon. The three vulnerabilities are in the handling of TCP packets, IP options, and IPv6 packets. I find this to be a bit humorous because if you don’t know, I worked on the same Advanced Research and Development team as Mike Lynn did while at ISS. In fact we use to all sit in a big room together. The reason all that Cisco research started in 2005 was that Cisco refused to share information on an IPv6 vulnerability that was released in January of ‘05 and here we have another one. With the advances in reverse engineering and the availability of better tools I wouldn’t be at all surprised if someone had and was passing around a Proof-of-Concept for any of these bugs that at least perform a Denial-of-Service.
Again let me state for the record how I feel about this: do not buy a single vendor solution for something as important as the very basis for how your network operates. I know you may get volume discounts or sales reps might take you to nice lunches but eventually something like this will happen. Do you really want to be up all night wondering if your network can be patched faster than hackers can develop a working exploit? And remember, they don't need to get a shell, they just need a DoS to cause havoc.