Cisco Patches DoS Flaw in NCS 6000 Routers

Type threatpost
Reporter Michael Mimoso
Modified 2016-07-20T15:06:24


Cisco Systems today released patches for two products, including one for a vulnerability rated a high criticality in Cisco IOS XR for the Cisco Network Convergence System series routers.

The flaw rests in the management of system timer resources and could allow an attacker to remotely crash the router.

“An attacker could exploit this vulnerability by sending a number of Secure Shell (SSH), Secure Copy Protocol (SCP), and Secure FTP (SFTP) management connections to an affected device,” Cisco said in its advisory. “An exploit could allow the attacker to cause a leak of system timer resources, leading to a nonoperational state and an eventual reload of the RP on the affected platform.”

Such connections could overwhelm the router, leading it to crash and eventually reload the Route Processor, Cisco said.

The vulnerability affects Cisco NCS 6000 only when Cisco IOS XR is configured to process SSH, SCP and SFTP management connections to the router. An attacker could exploit this using either IPv4 or IPv6 packets and by sending them to TCP listening port 22 or other TCP ports configured for the services in question.

“An attacker must establish a TCP three-way handshake, but the management connection to a vulnerable device does not have to be authenticated,” Cisco said. “This vulnerability can be triggered only by traffic destined to an affected device and cannot be exploited with traffic transiting an affected device.”

Cisco’s second patch released today addresses a flaw in the Cisco ASR 5000 Series, prior to versions 19.4 and 20.1. Cisco ASR are aggregation services routers designed for service provider and enterprise networks.

Cisco said the flaw is in the SNMP configuration management and a remote attacker can exploit this to read and modify device configurations using SNMP read-write community strings.

“The vulnerability occurs because the configured SNMP community string is not confidential,” Cisco said in its advisory. “An attacker could perform an SNMP query to the affected device to view the SNMP community string. An exploit could allow the attacker to read and modify the device configuration using the disclosed SNMP read-write community string.”

The flaw has a CVSS base score of 4.0, while the IOS vulnerability has a score of 7.8.