The Lazy Genius

Security News & Brain Dumps from Xavier Ashe, a Bit9 Client Partner

Patch those Cisco Boxes Today!

Posted by Xavier Ashe on November 8, 2005

The Cisco Internetwork Operating System (IOS) may permit arbitrary
code execution after exploitation of a heap-based buffer overflow
vulnerability. Cisco has included additional integrity checks in its software,
as further described below, that are intended to reduce the likelihood of
arbitrary code execution.

Cisco has made free software available that includes the additional
integrity checks for affected customers.

Cisco is not aware of any active exploitation of this vulnerability.
This advisory documents changes to Cisco IOS® as a result of continued research
related to the demonstration of the exploit for another vulnerability which
occurred in July 2005 at the Black Hat USA Conference. Cisco addressed the IPv6
attack vector used in that demonstration in a separate
advisory
published on July 29, 2005.

Read the full security advisory.  This affects all Cisco products that run any version of IOS (except
Cisco IOS XR).  Attackers can crash your box, or worse, run shell
code.  From the looks of it, this might be the fix for the hole
that Mike Lynn was trying to expose.  I blogged about this a few
times.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: