Cisco Warns Routers And Switches Are Vulnerable To Denial Of Service Attacks

Cisco has warned that some of its switches and routers are vulnerable to Denial of Service (DOS) attacks, even if configured properly.

Some Cisco devices running IOS Version 12.2S that have Dynamic Host Configuration Protocol (DHCP) server or relay agent enabled are vulnerable to DOS attacks when sent specially crafted DHCP packets. Even if the DHCP service or DHCP relay service is not enabled, the router or switch may be vulnerable, Cisco warned.

The vulnerability is caused by a flaw in the way in which the router and switch software handles DHCP packets. According to a Cisco advisory, if irregular DHCP packets are sent designed to attack the device, the packets "will remain in the queue instead of being dropped. If a number of packets are sent that equal the size of the input queue, no more traffic will be accepted on that interface." That means that the device will no longer function, and will not perform routing or switching functions.

The following devices are affected, if they are running a branch of IOS version 12.2S:

Cisco devices that do not run IOS software are not affected by the vulnerability. Additionally, Cisco devices running Cisco IOS software with the command no service dhcp enabled are not affected.

Cisco has released a software patch to fix the problem, and published workarounds. For details, see Cisco Security Advisory: Cisco IOS DHCP Blocked Interface Denial-of-Service.