14 DAY TRIAL // Several security flaws that could be leveraged for denial of service (DoS) attacks have been found and patched in Cisco’s IOS software, the vulnerable feature being the Autonomic Networking Infrastructure (ANI).
On Wednesday, Cisco announced that the software received fixes that prevent a remote attacker from gaining control of the device with limited privileges, or from causing a DoS, all without the need to authenticate.
IOS is the operating system powering Cisco routers and switches, while the ANI feature is designed for automatic device management in an intelligent manner that relies on self-handling principles.
Exploiting two of the vulnerabilities (CVE-2015-0636 and CVE-2015-0637) discovered in ANI would disrupt access to the autonomic domain from a specific Autonomic Networking (AN) node, and would cause the affected device to reload, respectively. These weaknesses received a CVSS severity score of 7.1 and 7.8.
Another glitch, identified as CVE-2015-0635 (CVSS severity rating 9.0), allows a remote attacker to spoof an Autonomic Networking Registration Authority (ANRA) response, due to insufficient response validation.
Apart from DoS-ing the device, additional effects consist in bootstrapping a device into an untrusted autonomic domain and gaining limited command and control of the AN node.
In a security advisory, Cisco said that the products affected by these glitches are ASR 901, 901S, and 903 Series Aggregation Services Routers and ME 3600, 3600X, and 3800X Series Ethernet Access Switches.