It seems that companies will never stop being inconvenienced by some security flaws. Vulnerability testing experts report that Cisco has extended the update patch to address a critical denial of service (DoS) vulnerability that was first detected and corrected in 2016.
The vulnerability in question, tracked as CVE-2016-1409 is a flaw on the IPv6 packet processing feature present in multiple company products. If exploited, the vulnerability would allow an unauthenticated remote threat actor to prevent a vulnerable device from processing IPv6 traffic, generating the DoS condition on the targeted device.
“A hacker could exploit the vulnerability by sending specially crafted Neighbor Discovery (ND) packets to any affected device for its processing. If the flaw is successfully exploited, the DoS condition will be triggered,” the specialists added.
Among the devices affected by this vulnerability are all those working with the following systems:
- Cisco IOS XR
- Cisco IOS
- Cisco IOS XE
- Cisco NX-OS
- Cisco ASA
- Cisco StarOS
This means that the vulnerability is not limited to products developed by Cisco. “This is a clear example of a configuration error in a software vendor; any device that is unable to discard these specially crafted packages could be impacted by the vulnerability,” say vulnerability testing experts. For example, some older versions of Juniper Junos and Huawei devices could also be vulnerable to this attack variant.
Upon publication of reports on the resurgence of the vulnerability, various members of the cybersecurity community questioned the company, which responded by announcing the extension of the original patch, released more than three years ago. “Cisco is investigating its entire product line to determine the scope of the vulnerability as well as the potential impact on each product. Security patches for this vulnerability will be released and/or updated as soon as possible,” the company’s security report says.
Cisco is constantly developing security patches to fix multiple vulnerabilities present in its developments. According to vulnerability testing specialists from the International Institute of Cyber Security (IICS) a few weeks ago the company released patches to fix six critical vulnerabilities affecting various products such as Unified Computing System server line and 220 Series Smart switches.
All critical vulnerabilities recently fixed by the company are related to a remote hacker’s ability to take control over an exposed device.