Vulnerability in Cisco routers could allow DoS attacks

News by Rene Millman

Flaw in IP stack of Linux kernel allows denial of service attacks by flooding with fragmented IPv4 and IPv6 packets to exploit inefficient reassembly algorithm, Cisco says.

Cisco has warned that a vulnerability in some products could enable hackers to carry out DoS attacks on an organisation’s infrastructure.

According to a security advisory from the firm, the flaw could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

It said it was alerted to the issue by a vulnerability report by Juha-Matti Tilli, of the Aalto University Department of Communications and Networking in Finland, and Nokia Bell Labs.

"An attack could be executed by an attacker who can submit a stream of fragmented IPv4 or IPv6 packets that are designed to trigger the issue on an affected device," the advisory stated.

Cisco said the vulnerability is due to inefficient IPv4 and IPv6 fragment reassembly algorithms in the IP stack that is used by the affected kernel. Linux Kernel Versions 3.9 and later are known to be affected by this vulnerability.

It added that it was investigating its product line to determine which products and services may be affected. Cisco said that the investigation would focus primarily on Cisco products that use Linux Kernel Version 3.9 or later.

So far, it has said that products such as its vEdge Series routers, Cisco Firepower and Nexus switches are affected as well as a host of others.

Cisco said that platform-dependent workarounds may be available.

"Administrators may be able to leverage access control lists (ACLs), Control Plane Policing (CoPP), or other rate limiting measures to control the flow of fragmented packets that reach an affected interface. Off-device mitigations, such as external firewalls or infrastructure ACLs on edge devices, may also effectively control the flow of IP fragments that are directed to management interfaces or control planes of downstream affected devices," it said.

Sam Haria, global SOC manager at Invinsec, told SC Media UK, "If an organisation believes that it is a high-risk target for DDoS attacks, one of the things that can be implemented – that should be considered further to standard signature-based firewalls ,when considering mitigation approaches – is load balancers to balance traffic across multiple servers within a defined network with the goal of generating network availability. A costlier approach to smaller organisations is to have a contingency for extra bandwidth."

However, in general, organisations need to ensure systems are regularly patched with the latest security patches, including operating system and application updates, in addition to firmware updates for network and security devices. "Organisations should have firewalls and other security appliances within the network that is capable of detecting the nature of these types of attacks," he said.

Adam Brown, manager of security solutions at Synopsys, told SC Media UK that if devices are present, then a risk analysis should be performed assessing the impact of a denial of service and the likelihood of such an attack. "For example an internal network with highly limited access would pose little risk, however an external facing network could cause public availability or performance issues for an organisation," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews