A Web site blackout Wednesday prevented Cisco Systems customers from retrieving 21 critical patches for about three hours Wednesday, shortly after the fixes were posted by the network hardware maker.
Updates for nearly two dozen vulnerabilities in IOS, formerly known as Internetwork Operating System and the controlling software for most Cisco routers and switches, were released around 11 a.m. EDT Wednesday. Cisco.com, however, went dark around 2 p.m. EDT and didn't come back online until about 5 p.m. On Thursday, Cisco blamed "human error" for the site swooning, and added that the severity of the resulting electrical overload prevented the expected redundancies from kicking in.
The 21 patches, deployed in four updates, were posted three hours before the blackout, and would repair IOS against a swath of vulnerabilities, some of which could result in attackers injecting their own code into vulnerable Cisco hardware. Three of the four IOS updates, according to Cisco's advisories, plug holes that attackers can, or might be able to, exploit with remote code.
Internet Storm Center analyst Tom Liston ranked two of the four -- "Secure Copy Authorization Bypass Vulnerability" and "Voice Vulnerabilities in Cisco IOS" -- as especially dangerous, and urged administrators to patch them as soon as possible.
Of the bypass update, Liston said: "[The attacker] needs a log-in, but after that, it's pretty much game-over." The 16 bugs quashed by the voice vulnerabilities update are even scarier, he said. "The others can potentially wait for testing, this [set] can't. Patch now."
Danish vulnerability tracker Secunia, however, rated the bypass bug as "less critical," the second step in its five-mark scoring system, and tagged the voice flaws as "moderately critical," its middle rank.