Two of the advisories covered denial-of-service (DoS) vulnerabilities in IOS SSH and the Secure Control Engine (SCE), while the other alert concerned a privilege escalation in Cisco Voice Portal (CVP).
The Cisco Security Advisory stated that the "Secure Shell server (SSH) implementation in Cisco IOS contains multiple vulnerabilities that allow unauthenticated users the ability to generate a spurious memory access error or, in certain cases, reload the device."
The Cisco advisories reported that the vulnerabilities were discovered in-house, but SANS warned that the updates could be reverse engineered to create an attack exploit.
“Anytime we see a ‘spurious memory access' leading to a denial of service, thoughts immediately go to arbitrary code execution. There is no evidence that this is possible, but in light of the recent work in IOS rootkits, [vulnerabilities] in Cisco devices should not be taken lightly, the SANS Handler's Diary entry stated.
Secunia reported that the vulnerabilities are caused "due to unspecified errors within the SSH server implementation in Cisco IOS. These can be exploited to generate a spurious memory access or to reload the device. Successful exploitation requires that the SSH server is enabled (not enabled by default)."
The vulnerabilities are reported in certain 12.4-based IOS releases, Secunia said. Cisco has released patches to fix the flaws.
See original article on scmagazineus.com
SANS says reverse engineering of Cisco patches possible
By Greg Masters on May 26, 2008 9:57AM