Cisco IOS-XE update time: Squash that DoS bug

Fixes how the daemon triggers error messages for packets it can't reassemble


Bad error message handling has opened up Cisco's IOS-XE versions prior to 3.13S to a remote denial-of-service (DoS) attack.

The company's threat advisory hints that the exploit was brought to Cisco's attention by an independent researcher, since it states that "functional exploit code exists; however, the code is not known to be publicly available."

IOS XE is a Linux daemon version of the Borg's operating system that abstracts routing functions away from platform-specific interfaces.

The problem Cisco has now patched deals with how the daemon triggers error messages for packets it can't reassemble. "When an affected device fails to successfully perform reassembly, instead of silently dropping the fragments, the ATTN-3-SYNC_TIMEOUT error message may be triggered," it explains.

The resulting consumption of CPU resources could, Cisco says, cause queued processes to halt. "An attacker could trigger this vulnerability by sending a series of IPv4 or IPv6 fragments, that are designed to trigger the error message, directly to the affected device."

IOS-XE users should get in touch with Cisco to get their hands on updates. ®


Keep Reading

Internet Explorer fails to make the cut, banished from Microsoft Teams for good

Someone needs to make a 'Best viewed with anything but IE' badge for websites

Microsoft drives users to the Edge: Internet Explorer to redirect to Chromium-based browser in November

'Hey, you folks heard that there's this virus starting to spread?' – IE, probably

Azure DevOps Services reminds users that, yes, it really is time to pull the plug on Internet Explorer 11

Ignite Sure, it's still wedged in the OS, but maybe you'd prefer something shiny and Chromier?

We've come to wish you an unhappy birthday: Microsoft to yank services from Internet Explorer, kill off Legacy Edge by 2021

You need to give that plate back to us after you've finished your cake. Yes the fork too. We'll get your coat

In a world where up is down, it's heartwarming to know Internet Explorer still tops list of web dev pain points

Incompatibilities and inconsistent standards support among browsers ensure an ongoing source of headaches

Bristol's bus stops can run Chrome and Internet Explorer, but no, Windows and public transport do not mix well

Bork!Bork!Bork! Bus stop / Bus goes / What's crashed? / Windows

Cisco warns miscreants are crippling IOS XR network gear over the internet with memory black-holes. No patch yet

In brief Plus: Time to dump that old backdoored ZTE mobile hotspot

If you never thought you'd hear a Microsoftie tell you to stop using Internet Explorer, lap it up: 'I beg you, let it retire to great bitbucket in the sky'

We say take off and nuke the entire codebase from orbit. It's the only way to be sure

Biting the hand that feeds IT © 1998–2021