Cisco has been kind enough to inform us (the general public) of vulnerability in the FTP/Telnet authentication proxy of IOS. The advisory is located here. Steps for checking if you are running a vulnerable version and the affected module are included in the advisory.
I say that sarcastically considering the events of the Mike Lynn incident. Most large organizations tend to go for the Cisco exclusive setup for their infrastructure, so I find Cisco’s (and most vendors) disclosure policy disgusting. Let me explain why. Vendors have the tendency to release patches for vulnerabilities to their “preferred” customers prior to releasing patches to the public, in some cases, months before public release. Smaller organizations and individuals are left to suffer the full weight of exploits that are released while the big guys will have been sitting pretty for months. When vendors release details about vulnerabilities to the public, how long has this been sitting on the shelf? It makes me feel so much better knowing that my business as an individual means so little to them. If this is how these guys are going to treat the general public, I think they just gave me my answer to Microsoft’s ad slogan of “Where do you want to go today?”
Currently there are no known exploits in the wild, and if there are any zero day exploits, they are not creating mass havoc. So if you’re running vulnerable IOS versions, get your patches.