ANI is an automatic device management feature that allows Cisco IOS devices to securely join a domain and be configured without prestaging — setting up the necessary accounts in advance.
Cisco’s new patches, released Wednesday, address three vulnerabilities in the way Cisco IOS and IOS XE devices handle autonomic networking (AN) messages.
One vulnerability could allow a remote unauthenticated attacker to force a vulnerable device to join a rogue autonomic domain by sending it specially crafted AN messages. This would give the attacker limited control over the device and would prevent it from joining the legitimate domain, Cisco said in a security advisory.
Another vulnerability could allow an attacker to spoof a device by sending rogue AN messages to an autonomic domain, which would prevent the legitimate device from joining.
The third vulnerability, also exploitable through specially crafted AN messages, could allow an attacker to cause an affected device to reload, leading to a denial-of-service condition.
The Cisco ASR 901, 901S, and 903 Series aggregation services routers and Cisco ME 3600, 3600X, and 3800X Series Ethernet access switches are vulnerable. Cisco released a version-checking tool for IOS devices and published a table with the fixes for those running IOS XE.