News

Cisco Discloses Serious IOS Flaw

Cisco Systems Inc. last week alerted users to multiple vulnerabilities in the Secure Shell (SSH) server implementation that ships with version 12.4 of its Internetwork Operating System (IOS).

In some cases, Cisco warned, a malicious attacker could exploit a flaw in the IOS SSH implementation to trigger denial of service (DoS) and reload the device.

Elsewhere, Cisco confirmed, attackers can exploit its IOS SSH implementation to generate spurious memory access errors. If an attacker is able to repeatedly reboot an IOS device, extended DoS could result, Cisco warned.

Cisco lists the IOS SSH daemon (SSHd) as an "optional" service, but its use is nonetheless highly recommended, because SSH facilitates secure command-line connectivity to IOS devices. Not all IOS devices are affected. According to Cisco, certain devices powered by IOS version 12.4 (and running SSH) may be affected. Versions of IOS prior to IOS 12.4 (including all 10.x and 11.x releases), as well as Cisco IOS XR are not affected, according to Cisco.

Cisco has published a software update and recommends any of workarounds for customers that don't wish to update their software. The first and most obvious workaround, according to Cisco representatives, is to disable the IOS SSHd. Users can also configure VTY access classes to allow only trusted hosts to establish SSH connections. Elsewhere, Cisco said, users can configure infrastructure Access Control Lists (iACL), a recommended security best practice, to restrict network traffic from targeting infrastructure devices.

In addition, Cisco said, customers can tap TELNET as an insecure alternative to SSH.

According to Cisco, the SSHd flaws were discovered internally or as a result of customer service requests. As a result, Cisco said it does not know of any malicious activity associated with the SSHd flaws.

About the Author

Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.

Featured

  • Report: Cost, Sustainability Drive DaaS Adoption Beyond Remote Work

    Gartner's 2025 Magic Quadrant for Desktop as a Service reveals that while secure remote access remains a key driver of DaaS adoption, a growing number of deployments now focus on broader efficiency goals.

  • Windows 365 Reserve, Microsoft's Cloud PC Rental Service, Hits Preview

    Microsoft has launched a limited public preview of its new "Windows 365 Reserve" service, which lets organizations rent cloud PC instances in the event their Windows devices are stolen, lost or damaged.

  • Hands-On AI Skills Now Outshine Certs in Salary Stakes

    For AI-related roles, employers are prioritizing verifiable, hands-on abilities over framed certificates -- and they're paying a premium for it.

  • Roadblocks in Enterprise AI: Data and Skills Shortfalls Could Cost Millions

    Businesses risk losing up to $87 million a year if they fail to catch up with AI innovation, according to the Couchbase FY 2026 CIO AI Survey released this month.