Advisory: Cisco IOS HTTP client DoS

October 18, 2011 | Jaime Blasco
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

DESCRIPTION:

There is a problem with the HTTP client implementation on Cisco IOS. If an administrator loads an application service via these commands:

router#config

Configuring from terminal, memory, or network [terminal]?

Enter configuration commands, one per line.  End with CNTL/Z.

router(config)#application

router(config-app)#service name http://ip_address/

router(config-app-param)#end

and the HTTP server responds with a special crafted HTTP response, the device will crash.

AFFECTED VERSIONS:

The vulnerability has been detected in a wide branch of Cisco IOS.

VENDOR RESPONSE:

http://tools.cisco.com/security/center/viewAlert.x?alertId=24436

CREDITS:

Jaime Blasco, Alienvault Labs

Jaime Blasco

About the Author: Jaime Blasco
Jaime Blasco is a renowned Security Researcher with broad experience in network security, malware analysis and incident response. At AlienVault, Jaime leads the Lab Intelligence and Research team that leads the charge of researching and integrating threat intelligence into detection mechanisms. Prior to working at AlienVault he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. He is based in San Francisco. Jaime's work in emerging threats and targeted attacks is frequently cited in international publications such as New York Times, BBC, Washington Post and Al Jazeera.
Read more posts from Jaime Blasco ›

‹ BACK TO ALL BLOGS

Watch a Demo ›
GET PRICE FREE TRIAL