Cisco Security Alert Urges Patch Of Critical Router Flaw

Cisco is urging users of its ASR 9000 Series Aggregation Services Routers to install a patch to address a critical flaw that could result in a denial of service attack or remote unauthenticated access to the device.

Cisco Systems yesterday disclosed 29 new vulnerabilities, including a critical alert for customers using its ASR 9000 Series Aggregation Services Routers. A flaw on the router, if not fixed, can be exploited remotely without user credentials, the networking giant said on its security advisories and alerts page.

San Jose, Calif.-based Cisco instructed ASR 9000 Series Aggregation Services router users to install an update to address a critical flaw on Wednesday. The ASR vulnerability is the most severe of the 29 new flaws that Cisco has disclosed with a severity rating of 9.8 out of a possible 10.

The vulnerability, according to Cisco, is due to incorrect isolation of the secondary management interface from internal sysadmin applications. If exploited by a hacker, a denial of service attack or remote unauthenticated access to the device could result, Cisco said.

[Related: Cisco, Palo Alto Networks Among Those Impacted By VPN App Flaw: Researchers]

For Computex Technology Solutions, a Houston-based solution provider that works with Cisco, the flaw impacting the ASR 9000 Series routers hasn't been an issue with its base of customers because ASR 9000 line is typically used by large service provider customers. Still, it's critical that customers take heed and protect themselves from a vulnerability of this scale, said Faisal Bhutto, executive vice president, enterprise networking, cloud and cybersecurity at Computex.

"For our base of midmarket customers, I haven't seen this issue bubble up, but Cisco has given it a critical rating so every customer [using the routers] should already be on top it," Bhutto said.

Cisco, according to Bhutto, is very good at identifying flaws like this latest router vulnerability early and informing partners and end customers. "All networking vendors have issues, some more than others, but not every company has the discipline to put out notices early when they identify issues and a remediation plan the way Cisco does, so Kudos to them, but now it's up to the customer to patch so they stay up and running," he said.

Cisco, for its part, released software updates that address this vulnerability on Wednesday. The company said that flaw only affects Cisco software running on ASR9000 Series Aggregation Services Routers and no other platforms have been impacted.

The CERT Coordination Center at Carnegie Mellon University last week found that VPN apps built by Cisco, Palo Alto Networks, F5 Networks and Pulse Secure insecurely store authentication tokens and session cookies in memory or log files. Once the report was published, the U.S. Department of Homeland Security's cybersecurity division issued an alert. Cisco denied being impacted by the flaw after it said it had investigated this issue and determined that its AnyConnect platform is not vulnerable to the behavior described in the vulnerability note from CERT.