Secunia

Some vulnerabilities have been reported in Cisco IOS, which can be exploited by malicious people to cause a DoS (Denial of Service), bypass certain security restrictions, disclose sensitive information, or compromise a vulnerable device.

1) An error exists in the login section of the Extension Mobility feature of the Cisco Unified CME (Communications Manager Express) component. This can be exploited to cause a buffer overflow via specially crafted HTTP requests.

Successful exploitation may allow execution of arbitrary code.

2) An error in the IKE implementation can be exploited to allocate all available Phase 1 SAs and prevent new IPSec sessions from being established.

Successful exploitation requires that the IKE certificate based authentication method is used.

3) Multiple errors exist in the IP tunnelling implementation when switching network packets. These can be exploited to trigger a device reload via specially crafted packets.

Successful exploitation requires that the device is configured for PPTP, GRE, IPinIP, Generic Packet Tunneling in IPv6, or IPv6 over IP tunnels, and Cisco Express Forwarding.

4) An error in the implementation of the Object Groups for ACLs feature can be exploited to bypass access control policies.

5) An error in the H.323 implementation can be exploited to trigger a device reload via specially crafted TCP packets.

Successful exploitation requires that H.323 is enabled (disabled by default).

6) An error in the SIP implementation related to the Cisco Unified Border Element feature can be exploited to trigger a device reload.

For more information:
SA36836

7) An error in the SSLVPN, SSH, and IKE Encrypted Nonces features can be exploited to reload a device via specially crafted packets sent to TCP ports 22 (for SSH) or 443 (for SSLVPN), or UDP ports 500 and 4500 (for IKE Encrypted Nonces).

8) A race condition error exists in the Authentication Proxy for HTTP(S), Web Authentication, and consent features. This can be exploited to bypass the authentication proxy services and the consent accept web page if a successfully authenticated session or accepted consent session exists.

9) An error exists in the Cisco IOS Zone-Based Policy Firewall SIP inspection feature. This can be exploited to reload a device via a specially crafted SIP transit packet.

10) An error exists in the NTPv4 implementation while creating NTP reply packets. This can be exploited to trigger a device reload via a specially crafted NTP packet.

Solution
Update to a fixed version (please see the vendor's advisories for details).

Provided and/or discovered by
1, 3-10) Reported by the vendor.
2) Reported to the vendor by a customer.

Original Advisory
http://www.cisco.com/warp/public/707/cisco-sa-20090923-cme.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20090923-ipsec.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20090923-tunnels.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20090923-acl.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20090923-h323.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20090923-sip.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20090923-tls.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20090923-auth-proxy.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20090923-ios-fw.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20090923-ntp.shtml

Other references
Further details available in Customer Area

Deep Links
Links available in Customer Area