Cisco Systems Inc. security has announced 3 remotely exploitable flaws for the Cisco IOS software:

• Crafted TCP Packet Can Cause Denial of Service
• Crafted IP Option Vulnerability
• IPv6 Routing Header Vulnerability

Usually these security notifications are released to large customers before the general public, so large customers have time to update or protect their equipment. However, it’s the smaller networks that are at the greatest risk. Many don’t have Cisco support contracts (or can’t afford them), or don’t have an individual on staff to upgrade their equipment.

When will the first exploit code be released? Will anybody admit to being compromised by the exploit? How will a common user realize they have a problem? The small business customers who think owning Cisco is the way to go need to address the total cost of keeping those systems up to date. Many times a customer won’t upgrade a core router or switch because they don’t know how or don’t know they have a problem. How many service providers will contact their customers warning them about these flaws? Most small businesses don’t have a clue if they are vulnerable or not. How does Cisco fix this issue? What means does a small company have to keep all their systems up to date? Most end users barely can keep up with Windows, virus, adware and spyware updates little alone keeping up with all their network equipment. How many people have updated the software on your home router?

I believe the next great worm will be targeted towards networking equipment. How about taking over all the Linksys routers/access points and making them spam bots or open relays? What about using a Cisco vulnerability to create tunnels to specific locations to monitor all traffic through a router. More to come …