It seems that companies will never stop being inconvenienced by some security flaws. Vulnerability testing experts report that Cisco has extended the update patch to address a critical denial of service (DoS) vulnerability that was first detected and corrected in 2016.
The vulnerability in question, tracked as
CVE-2016-1409 is a flaw on the IPv6 packet processing feature present in
multiple company products. If exploited, the vulnerability would allow an
unauthenticated remote threat actor to prevent a vulnerable device from
processing IPv6 traffic, generating the DoS condition on the targeted device.
“A hacker could exploit the vulnerability
by sending specially crafted Neighbor Discovery (ND) packets to any affected
device for its processing. If the flaw is successfully exploited, the DoS
condition will be triggered,” the specialists added.
Among the devices affected by this
vulnerability are all those working with the following systems:
- Cisco IOS XR
- Cisco IOS
- Cisco IOS XE
- Cisco NX-OS
- Cisco ASA
- Cisco StarOS
This means that the vulnerability is not
limited to products developed by Cisco. “This is a clear example of a
configuration error in a software vendor; any device that is unable to discard
these specially crafted packages could be impacted by the vulnerability,”
say vulnerability testing experts. For example, some older versions of Juniper
Junos and Huawei
devices could also be vulnerable to this attack variant.
Upon publication of reports on the resurgence
of the vulnerability, various members of the cybersecurity community questioned
the company, which responded by announcing the extension of the original patch,
released more than three years ago. “Cisco is investigating its entire
product line to determine the scope of the vulnerability as well as the
potential impact on each product. Security patches for this vulnerability will
be released and/or updated as soon as possible,” the company’s security
report says.
Cisco is constantly developing security patches
to fix multiple vulnerabilities present in its developments. According to
vulnerability testing specialists from the International Institute of Cyber
Security (IICS) a few weeks ago the company released patches to fix six
critical vulnerabilities affecting various products such as Unified Computing
System server line and 220 Series Smart switches.
All critical vulnerabilities recently fixed by
the company are related to a remote hacker’s ability to take control over an
exposed device.
