The Channel logo


By | Darren Pauli 24th October 2014 09:33

Cisco patches three-year-old remote code-execution hole

Patch or kill Telnet

A three-year-old dangerous remote code execution hole affecting Cisco kit has been patched.

Researcher Glafkos Charalambous discovered the Telnet vulnerability (CVE-2011-4862), which was first reported by the FreeBSD Project in 2011. It was left unpatched up prior to 15 October this year in Cisco appliances.

The International Business Schools IT manager found the bug in the AsyncOS software in all versions of Cisco's web, email and content security management appliances.

Cisco warned customers were open to arbitrary code execution if they enabled telnet on those devices.

"A vulnerability in telnet code of Cisco AsyncOS could allow an unauthenticated, remote attacker to execute arbitrary code on the affected system," Cisco wrote in a revised advisory.

"The vulnerability is due to insufficient boundary checks when processing telnet encryption keys.

"An unauthenticated, remote attacker could exploit this vulnerability by sending malicious requests to a targeted system [and] execute arbitrary code on the system with elevated privileges."

It scored the vulnerability a base score of 10 due to its ease of exploitation and highly damaging impact.

Cisco included information on the impact on IronPort systems in 2012 and has detailed some workaround alternatives for those unable to patch quickly. ®

comment icon Read 9 comments on this article or post a comment alert Send corrections


Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella

Chris Mellor

Thousands of layoffs announced as spinning rust enters its death spiral


STRASBOURG, JUNE 29, 2016: The seat of the European Parliament. by Marco Aprile for shutterstock. EDITORIAL USE ONLY
Plan b, image via Shutterstock
EU workers, new markets: post-Brexit pressure on May & Co
Tough question, pic via Shutterstock
Honest mistake with your licensing? Audit police look at it on a 'case by case basis'