Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cisco Announces Holes In PIX Firewall

Posted by simoniker on from the net-also-full-of-holes dept.

iiioxx writes "Cisco Systems announced on December 15, 2003 that new security holes have been found in the PIX firewall IOS. The vulnerabilities are in SNMP and VPNC functionality, and both allow for DOS attacks against an affected firewall. Vulnerable IOS versions are 6.3.1, 6.2.2 and earlier, 6.1.4 and earlier. 5.x.x and earlier. There are a couple of workarounds for the SNMP vulnerability, but the only way to correct the VPNC problem is to upgrade the IOS."

2 of 23 comments (clear)

  1. Not the PIX you are thinking of by Anonymous Coward · · Score: 0, Interesting

    This advisory only covers the PIX that operates as a blade in the Catalyst 6500 series switches. The regular PIX is unaffected.

    Why someone would want to integrate their firewall into their internal switch is beyond me anyway.

  2. Re:Umm... its not IOS by iiioxx · · Score: 4, Interesting

    I'm curious what side of the business you're on. I've never heard a CCIE refer to a Cisco OS as anything other than its name.

    I spent about 5 years working for a Cisco VAR, which means I spent a great deal of time talking to Cisco SE's and of course, TAC engineers. I've heard more than a couple of CCIE's refer to IOS in a generic context.

    Now, I'm a sys/netadmin for a company with around 130 location across the US (and a boatload of Cisco gear). I and my cohorts likewise throw the term "IOS" around quite liberally.

    Hell, in the 6500 series, you can have the chassis running CatOS, its Sups running two different IOSs...

    Actually, the "chassis" doesn't run anything, and the Sups run CatOS (just do a 'show module' on your Cat to see for yourself). But I think you are making the point of a Sup running CatOS and the MSFC running IOS, thus having multiple OS's in one box/blade.

    In that situation though, they are more conjoined twins than a singular entity. In fact, in our hardware naming system, the MSFC has a totally different designator than the Supervisor or chassis. So I wouldn't say "upgrade the IOS on that Cat". I'd say, "upgrade the IOS on XX03RM02" or "upgrade the IOS on XX03SW01". The designator makes it clear as to which software I am referring. XX03 is a site code, SW is a switch or Sup (thus CatOS) and RM is a router module or MSFC (thus IOS). Our hardware management database keeps track of the fact that XX03RM02 is conjoined with XX03SW01 and they are in the chassis with asset tag XYZ123.

    The boys in my local Cisco office are all nomenclature geeks, so that might explain why everyone in this region is anal about names.

    That would explain it.