The Channel logo


By | Darren Pauli 24th October 2014 09:33

Cisco patches three-year-old remote code-execution hole

Patch or kill Telnet

A three-year-old dangerous remote code execution hole affecting Cisco kit has been patched.

Researcher Glafkos Charalambous discovered the Telnet vulnerability (CVE-2011-4862), which was first reported by the FreeBSD Project in 2011. It was left unpatched up prior to 15 October this year in Cisco appliances.

The International Business Schools IT manager found the bug in the AsyncOS software in all versions of Cisco's web, email and content security management appliances.

Cisco warned customers were open to arbitrary code execution if they enabled telnet on those devices.

"A vulnerability in telnet code of Cisco AsyncOS could allow an unauthenticated, remote attacker to execute arbitrary code on the affected system," Cisco wrote in a revised advisory.

"The vulnerability is due to insufficient boundary checks when processing telnet encryption keys.

"An unauthenticated, remote attacker could exploit this vulnerability by sending malicious requests to a targeted system [and] execute arbitrary code on the system with elevated privileges."

It scored the vulnerability a base score of 10 due to its ease of exploitation and highly damaging impact.

Cisco included information on the impact on IronPort systems in 2012 and has detailed some workaround alternatives for those unable to patch quickly. ®

comment icon Read 9 comments on this article or post a comment alert Send corrections


Frank Jennings

What do you do? Use manual typwriters or live in a Scottish croft? Our man advises
A rusty petrol pump at an abandoned gas station. Pic by Silvia B. Jakiello via shutterstock

Trevor Pott

Among other things, Active Directory needs an overhaul
Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella


League of gentlemen poster - Tubbs and Edward at the local shop. Copyright BBC
One reselling man tells his tale of woe