Last week, Cisco announced more security advisories regarding multiple possible vulnerabilities for range of it’s product. I will post here just a short summary about this advisories and provide you with the links to the full descriptions of the possible problems:
October 14, 2009 – Cisco Unified Presence Denial of Service Vulnerabilities
Cisco Unified Presence contains two denial of service (DoS) vulnerabilities that may cause an interruption to presence services. These vulnerabilities were discovered internally by Cisco, and there are no workarounds.
Cisco has released free software updates that address these vulnerabilities.
October 15, 2009 – Multiple Vulnerabilities in Cisco Wireless LAN Controllers
Multiple vulnerabilities exist in the Cisco Wireless LAN Controller (WLC) platforms. This security advisory outlines the details of the following vulnerabilities:
Malformed HTTP or HTTPS authentication response denial of service vulnerability
SSH connections denial of service vulnerability
Crafted HTTP or HTTPS request denial of service vulnerability
Crafted HTTP or HTTPS request unauthorized configuration modification vulnerability
Cisco has released free software updates that address these vulnerabilities.
October 19, 2009 – Cisco IOS Software Tunnels Vulnerability
Cisco devices running affected versions of Cisco IOS Software are vulnerable to a denial of service (DoS) attack if configured for IP tunnels and Cisco Express Forwarding.
Cisco has released free software updates that address this vulnerability.
October 15, 2009 – Cisco IOS Software Authentication Proxy Vulnerability
Cisco IOS® Software configured with Authentication Proxy for HTTP(S), Web Authentication or the consent feature, contains a vulnerability that may allow an unauthenticated session to bypass the authentication proxy server or bypass the consent webpage.
Cisco has released free software updates that address this vulnerability.
There are no workarounds that mitigate this vulnerability.
October 19, 2009 – Cisco IOS Software Internet Key Exchange Resource Exhaustion Vulnerability
Cisco IOS® devices that are configured for Internet Key Exchange (IKE) protocol and certificate based authentication are vulnerable to a resource exhaustion attack. Successful exploitation of this vulnerability may result in the allocation of all available Phase 1 security associations (SA) and prevent the establishment of new IPsec sessions.
Cisco has released free software updates that address this vulnerability.
