Cisco Issues Security Advisory To Warn Against Vulnerabilities In Content Service Gateway

By Author: Peter Martin
Total Articles: 211
Comment this article

Recently, security researchers at Cisco disclosed security flaws in its second generation content service gateway (CSG2). Content service gateways are used by organizations to offer access to content on their sites at a price. The gateway analyses the data traffic and allows organizations to bill the customers for the content offered. CSG 2 runs on Service and Application Module for IP (SAMI). One of the vulnerabilities has been identified as a service policy bypass vulnerability, which allows an attacker to circumvent billing polices and gain unauthorized access to restricted content. The vulnerability allows customers of an organization to gain access to sites with similar billing policy without being charged. The security flaw also allows customers to gain access to sites, which are generally configured to restrict access.

The affected CISCO IOS Software include 12.4 (11)MD, 12.4(15)MD, 12.4(22)MD and versions released prior to 12.4(24)MD 3, 12.4(22)MDA 5 and 12.4(24)MDA 3 on CSG2.

Content service gateways allow organizations to earn for the content offered on their websites. and restrict improper use of ...
... content by third parties. The gateways prevent other service providers from taking undue benefit of content available on an organizations website.

Security researchers at Cisco have also identified two vulnerabilities in Cisco IOS Software 12.4(24)MD1 for CSG2. The identified vulnerabilities may cause denial-of-service condition on CSG 2. Attackers may use well-crafted Transmission Control Protocol (TCP) packets to gain unauthorized access and cause denial of service stopping the traffic flow to CSG2. The vulnerability requires only one active service content to be active to be exploited by the attackers. The vulnerabilities affect IOS Software 12.4(24)MD1 for the second generation content service gateway. The vulnerability may cause the gateway to reload or stuck denying services.

Usually, ethical hackers help developers in identifying vulnerabilities prior to individuals with malicious intent to prevent their exploitation. Cisco is yet to issue any patch for the vulnerabilities.

Developers are faced with the constant challenge of developing secured products. Attackers on the other hand constantly endeavor to breach security mechanisms. Online training programs enable self paced learning and skill enhancement facility to product developers without disrupting their work obligations.

Information security training may help employees of an organization to understand the relevant security threats, gain insights on the likely implications, understand the first response procedures and ensure timely reporting of vulnerabilities.