Major Flaw Found In Cisco IOS Devices 266
Joff_NZ writes "CERT has released an advisory regarding a serious flaw in all Cisco routers and switches which run IOS and process IPv4 packets (i.e. pretty much everything), which causes the device to stop processing inbound packets, and so: 'The device must be rebooted to clear the input queue on the interface, and will not reload without user intervention.' There are apparently no known exploits (yet), and Cisco have this advisory with a workaround and available fixes."
Yet... (Score:5, Insightful)
I say we start a pool on how long yet will actually be, now that CERT released the info.
Re:Yet... (Score:3, Insightful)
More details (Score:2)
-- Jack
Re:Yet... (Score:5, Funny)
Re:Yet... (Score:3, Funny)
Re:Yet... (Score:2)
Mountain dew, nah. The sugar makes me sleepy after 20 minutes. I prefer my caffiene to be like my soul: Dark, Bitter, and (slurp) Empty.
Re:Yet... (Score:5, Funny)
Rus
Re:Yet... (Score:5, Funny)
Re:Yet... (Score:2)
goodstuff [juniper.net]
warning this page requires 'flash' (virus?worm?entertainment?)
Re:Yet... (Score:5, Interesting)
I think this one is on of the best:
http://www.juniper.net/nettoons/03_1280.jp
(Just change the first number)
Re:Yet... (Score:2, Funny)
And I thought the ebay lady was a little weird... the juniper one looks like she knows where I live, and she's gonna come round and hack me to death when I least expect it.
Re:Yet... (Score:2, Funny)
Re:Yet... (Score:2)
the problem with that thinking (Score:2)
Oh, Juniper makes great routers, but they're all carrier (ISP) class, or at least they all were when I trained on them. You're not going to find them used as customer CPE very often... and individual companies have the most to lose by this exploit, especially small ones whose ISPs maintain their equipment for them, who aren't rolling out fixes for all those small Ciscos now.
Re:Yet... (Score:3, Funny)
Re:Yet... (Score:3, Funny)
Re:Yet... (Score:2)
On my new big LCD monitor it looks like this lady is in the room right beside me. I'm not going to be able to sleep.
Seriously, I can stand Ogrish [ogrish.com] and Rotten [rotten.com] without a hitch, but somehow this lady gives me the creeps ...
Print out that image in poster size and hang it up in your office.. Tell people that's your project manager to freak them out..
Re:Yet... (Score:2)
Re:Yet... (Score:5, Informative)
and no posting of the exploit code? (Score:2, Interesting)
a four-hour timeout for IP-4 packets and you can do it
remotely to almost ANY cisco device except those that are run as purely IP-v6. Seems more like a nuisance DOS exploit and hope not to see it.
Re:and no posting of the exploit code? (Score:2)
Re:and no posting of the exploit code? (Score:3, Insightful)
Re:and no posting of the exploit code? (Score:3, Funny)
Today "CiscoWorks" would probably be a contradiction in terms.
Re:and no posting of the exploit code? (Score:2, Insightful)
It's days like this... (Score:5, Funny)
Re:It's days like this... (Score:5, Interesting)
fun
Rus
Re:It's days like this... (Score:3, Informative)
2) With that many servers, if you're not doing it with package management (solaris pkgadd, rpm, deb, hp..., AIX..., etc... all of them have at least a rudimentry package management tool, even if it's tar), you might want to re-visit your design.
3) Deploying BIND without some forthought is going to get
Re:It's days like this... (Score:2)
Of course you REALLY want to lock down that database! (All of my servers clone a copy of a master database locked deep behind the firewall in my fortress of solitude. They also have iptables hooks to prevent ANYONE from accessing mysql except through the local socket.)
Re:It's days like this... (Score:4, Funny)
Re:It's days like this... (Score:3, Insightful)
Re:It's days like this... (Score:2)
I'm also an unemployed network engineer... with Juniper training, to boot.
Alternative (Score:4, Funny)
Rus
Re:Alternative (Score:2)
Re:Alternative (Score:4, Funny)
Re:Alternative (Score:2)
Re:Alternative (Score:3, Funny)
Re:Two reference implementations required? (Score:2)
I suggest that African and European swallow are used as reference implementations.
Whoa, very interesting!! (Score:3, Interesting)
If I fire up Ethereal to peek at the traffic, I notice that the arp who-has requests are labeled with a source of "cisco_f2"
Wonder if someone has been pointing this sploit at cablemodem routers ??
Re:Whoa, very interesting!! (Score:5, Informative)
Re:Whoa, very interesting!! (Score:2)
Disclosure of vulnerabilities (Score:2, Troll)
Notice how both vulnerabilities, from Cisco and Microsoft, were not released to the public first. Instead the public announcement comes after the vendors have the patches.
Exploits, anybody?
Re:Disclosure of vulnerabilities (Score:5, Insightful)
Re:Exploits, anybody? (Score:2)
Thinking about shutting down the Internet today ? I think I prefer to keep my job :-)
No Exploits My A$$ (Score:5, Interesting)
Im not Anonymous, Just Lazy.
Crackers`n`Soup
Re:No Exploits My A$$ (Score:2)
I'll bet AT&T knew this before today.
Comcast has been having problems all day... (Score:5, Interesting)
tbr1-p013601.sffca.ip.att.net [12.122.11.77] (hop #6 after my cable modem)
I have no idea what the problem is or whether it's related to this exploit, but it really stinks to have the connection continually crash. I actually haven't had problems in the last few months... until today. I hope this isn't a harbinger of things to come...
Re:Comcast has been having problems all day... (Score:2)
Re:Comcast has been having problems all day... (Score:2)
"...until/unless a Cisco DDoS vulnerability is found..."
:)
It's true... it could happen. But since our 100% uptime guarantee comes directly from MFN/Abovenet, we can be reimbursed for any downtime.
Plus, if we go down, so do many other, larger companies, such as Google (which is in the same datacenter we are) will go down as well. We certainly won't be the only ones hung out to dry.
At least it won't worm. (Score:5, Insightful)
Re:At least it won't worm. (Score:2)
You might be able to cripple big chunks of the internet every time you do it, and it's probably be a long time before all the zombies got fixed. Anybody out there run a webserver? How many Nimda/Code Red requests did you get today? Nimda wasn't even a very smart worm.
Re:At least it won't worm. (Score:2)
All an individual has to do is something like this:
1 - Generate a list of hosts on the net
2 - Grab the first host off the list
3 - traceroute to the host
4 - send 10-20 of the "specially crafted packets" to each hop in reverse order
5 - cache the IP addresses that have been used
6 - Loop around and start again on the next host. Skip addresses that have already been done.
Its not that hard folks. Get enough machines running something like the above a
Re:At least it won't worm. (Score:2)
Re:At least it won't worm. (Score:3, Informative)
The ACL "fix" is not a fix (Score:5, Interesting)
Cisco recommends that all IOS devices which process IPv4 packets be configured to block traffic directed to the router from any unauthorized source with the use of Access Control Lists (ACLs). Legitimate traffic is defined as management protocols such as telnet, snmp or ssh, and configured routing protocols from explicitly allowed peers. All other traffic destined to the device should be blocked at the input interface.
Does "A rare sequence of crafted IPv4 packets sent directly to the device" mean a sequence utilizing one of these three protocols? If so then frigging tell us! If not, this is just a vague precautionary warning that really won't stop any user inside the network from exploiting the bug.
The TRUE details of the bug, including which protocol it uses, would help us put a nail in the coffin regarding the ACL workaround, but the Cisco bug tool isn't returning any information for the bugs they're talking about - specifically CSCea02355 and CSCdz71127.
Yes it is (Score:5, Insightful)
Don't misunderstand traffic going THROUGH the router with traffic directed TO the router. You probably want to control the latter because as a good netadmin you should know that this is good practise.
Re:Yes it is (Score:2)
Proper filtering of packets trageted at the router helps to make it more robust against DoS attacks directed at the router itself. Actually, most people already have such filters in place (especially on IOS versions which support IP receive ACLs).
Re:Not if you're using anything less than a 72xx! (Score:2)
Of course, if you were to use one of those funky flash IDE drives you could do the whole thing without an HDD and then you'd be talking negligible power consumption and no moving parts. You still lose on the rack space thing, though.
Re:The ACL "fix" is not a fix (Score:2)
Latest news .... (Score:5, Funny)
"It is great to have found Major Flaw but we are still very worried about the others. Our job here is not finished." said Private Data.
Colonel Panic has been spotted from time to time but the army has not yet been able to pinpoint his exact position. But the most gravest of fears are held for General Protection-Fault. Sightings of the General have been few and far between in the last few years. Some conspiracy theorists say that he is not actually missing but has disguised himself. Private Data would not confirm wether they are searching for a man of similar build to General Protection-Fault but dressed all in blue.
There ARE exploits in the wild (Score:5, Interesting)
Below is a note I received from my ISP about 2 hours before this was topic posted:
=-=-=-=-=-=-=-=-=-=-=
17/07/03 01.12 - 01.38 DOS Attack on Sydney PoPs
Incident
A DoS attack against the AN border router resulted in that router's CPU reaching 100% and triggering the same attack on the Perth gateway router which in turn brought down the Comindico Border router
Action
While all of the hardware remained 'up' nothing could be authenticated and therefore all traffic through the Sydney PoP ceased.
Resolution
Swiftel Engineering rebooted the Perth Gateway router clearing the DoS packets and that in turn allowed the Sydney routers to rebuild the BGP4 tables thus restoring the ability to process customer traffic.
Result
By 1.38 pm all traffic was flowing normally.
Future Elimination Of This Problem
The elimination of this type of new DoS attack has just been recognised and released by Cisco (today) and the workaround and fixes are documented in:
http://www.cisco.com/warp/public/707/cisco-sa-2
We are considering whether to implement the workarounds which may impact traffic such as ICQ and some games or upgrade the IOS's in all of our Cisco equipment.
We will inform you when that decision is made.
Re:There ARE exploits in the wild (Score:2)
Of course, there have been a few incidents over the past week where our link dropped for between three and ten minutes at a time. Comindico's network status page explained them as "router rebooted", no more details.
But anyway, none today.
Re:There ARE exploits in the wild (Score:4, Informative)
Once the input queue is full of said packets, the router doesn't accept any more packets, then CPU utilization drops at 0% while the router idles waiting for more apckets (which of course never arrive once the device is blocked).
Re:There ARE exploits in the wild (Score:2)
Re:There ARE exploits in the wild (Score:4, Informative)
The ISP was probably experiencing an ordinary DoS attack.
Department of Homeland Security is interested! (Score:5, Funny)
Can you say RUSH JOB?!? (Score:2, Informative)
Also interesting to note is that the top of the Cisco Advisory had a release date of 7/17 00:00 GMT. But the bottom said that it would not be published to the public until 7/17 21:00 GMT.
Why the release 21 hours ahead of schedule? Especially since you can't d/l the patches!!
"A great disturbance..." (Score:4, Funny)
wow (Score:4, Interesting)
Sounds pretty bad.
I got this email earlier:
Thank you for being a Cogent customer.
Sincerely,Customer Support
Cogent Communications
And was wondering what was up. Been hearing about a lot of router issues from various people. Lets hope this gets wrapped up quickly.
This has been discussed...... (Score:5, Interesting)
Re:This has been discussed...... (Score:2, Informative)
Re:This has been discussed...... (Score:3, Insightful)
Odds Of Resulting Problems? (Score:3, Insightful)
Re:Odds Of Resulting Problems? (Score:2)
Will Homeland Security have kept it under wraps?? (Score:5, Interesting)
As a non-american I found this quite disturbing, since certainly with the Sendmail vulnerability, there was a risk of this being exploited by the US-governement against foreign nations. NOw, I know I am just being paranoid, but it does freak me if this would become standard operating procedure: 1. Vulnerability discovered 2. US government given ample time to protect itself 3. US government makes use of vulnerability 4. Us gov releases it to friendly nations 5. You get notified.
Just filter out packets with the evil bit (Score:5, Funny)
duh (Score:2, Insightful)
Just got this from Internap: (Score:5, Informative)
Cisco Systems has released to the public notification of a vulnerability
in many versions of Cisco IOS which can create a Denial of Service on an
affected router. The details of the advisory can be viewed at the
following link:
http://www.cisco.com/warp/public/707/cisco-sa-2
No exploits which target this vulnerability have yet been identified.
Prior to the public notification, Cisco had contacted their major NSP
customers including Internap to inform us of this vulnerability. Internap
has identified IOS versions with the appropriate fix for the platforms in
our network and scheduled upgrades to our routers. Customers will receive
notification shortly of the window in which the routers you are homed to
will be upgraded. Due to the severity of this vulnerability these
upgrades are being performed as emergency maintenance.
Customers with questions about the possible impact of this vulnerability on
their own equipment are urged to read the notice at the link above or to
contact Cisco directly.
Re:Just got this from Internap: (Score:3, Insightful)
The cries of thousands of Cisco 827's (Score:3, Funny)
Boss. I'm at the pub.
Dilbert (Score:4, Funny)
Boss: Look what one of our engineers said to a reporter !
Dogbert: (reading) "Our technology is putrid, but we compensate by ignoring complaints."
Boss: You know what would be more fun than fixing those problems ?
Dogbert: WITCH-HUNT !!!
Are CBOS Devices Vulnerable? (Score:2, Interesting)
Interesting.... (Score:3, Informative)
Customers with contracts should obtain upgraded software free of charge through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on the Cisco worldwide website at http://www.cisco.com/tacpage/sw-center/sw-ios.sht
Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for assistance with obtaining the free software upgrade(s).
Customers who purchase direct from Cisco but who do not hold a Cisco service contract and customers who purchase through third-party vendors but are unsuccessful at obtaining fixed software through their point of sale should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows.
+1 800 553 2447 (toll free from within North America)
+1 408 526 7209 (toll call from anywhere in the world)
e-mail: tac@cisco.com"
So, if I understand this correctly, if you've given Cisco money for hardware _and_ given Cisco money for a support contract, only then can you get hold of the fix. Neat.
Re:Interesting.... (Score:3, Informative)
No Exploits? (Score:5, Insightful)
No script kiddy tool for it yet?
Nobody's used it yet to take down routers?
Because the security advisory sure sounds like it's discovered an "exploit" on Cisco IOS routers to me.
Any self respecting coder can whip up something homemade to take advantage of the issue.
Is "no exploits" yet supposed to make us feel safer?
If a security hole is there, it's vulnerable. Calling it "unexploited for now" is just misleading and confusing.
homogeneous networks (Score:5, Insightful)
IF this had happened to our friends at Redmond (what do you mean 'if'
Now it's happened to a vendor with probably more pieces of kit attached to the public internet than anyone else (by a long chalk IMHO).
Do we cry, bad Cisco bad, no we just look at all the poor network admins who will get no sleep for the next 2 days....
Perhaps NOW people wil start looking at alternatives to Cisco.
Don't get me wrong I love Cisco kit, but I think the risk of Cisco everywhere is just about to hit home...
Re:homogeneous networks (Score:2)
If the network hardware would say to you, "Hey I had a flaw, but already downloaded the patch for it. Want me to install it?" like Windows does, this wouldn't be so bad.
Seriously - Microsoft's auto-update system for Windows is fantastic. I get the patch for a bug before I see it on
Re:homogeneous networks (Score:2)
I've seen this (Score:2)
Govermental problems? (Score:2, Interesting)
Toured a local NHS facility yesterday, when they were recovering from a total internal crash that cut off all internal network traffic, as well as external traffic in and out.
The crash was caused by a halt in network traff
Re:Govermental problems? (Score:2)
I believe the NHS's IT is run by Crapita. an extremely poor provider of ITC "solutions". Private Eye has been banging on about them since time began, but the upshot is I can very easily believe they were that badly configured.
Irony in the ad at the top of this Slashdot page.. (Score:2)
Up to 85% off Cisco 2501
Save on Used Cisco Equipment Routers, Gbics, Modules & more.
www.bizinetworks.com
Used Cisco Routers
Used/Refurbished Cisco Routers save up to 90% off retail price.
www.networkliquidators.com
Cisco Switches
Compare Prices and Save Money. Find the best deals at BizRate.com!
www.BizRate.com
*Ahem*! -Ocelot Wreak.
Amazing (Score:3, Interesting)
i first heard... (Score:2)
Horrible! (Score:2)
Cisco did indeed warn large providers ahead of tim (Score:2)
Sent: Thursday, July 17, 2003 10:39 AM
To: undisclosed-recipients
Subject: Level(3)
_______________________________________________ _ __ _________________
As you may be aware, Level 3 performed significant maintenance to Cisco
routers in our Network over the past two evenings. Due to restrictions in
our contract with Cisco, we were not at liberty to share with you the nature
or details of the pending work. Additional information can now be shared.
Level 3 Comm
Re:Yikes... (Score:5, Informative)
Re:Yikes... (Score:2)
Re:Troll ( Hubs are faster than switches) (Score:2)
Hubs / repeaters / fanouts work at the electrical signal level.
Bridges / Switches work at the frame level.
In limited circumstances i.e. there are only two devices talking on the segment the cheap hub may well be faster than any $20,000 switch.
Start throwing more devices, full-duplex operation etc. into the conversation and you will soon see the light.
Now when you have touched a netw
Re:What about PIX firewalls? (Score:2, Informative)
Re:7200 Series Only! (Score:3, Informative)
Affected Products This issue affects all Cisco devices running Cisco IOS software and configured to process Internet Protocol version 4 (IPv4) packets. Cisco devices which do not run Cisco IOS software are not affected. Devices which run only Internet Protocol version 6 (IPv6) are not affected.
Tho I realy wish you were correct, since none of the (many) cisco devices in my net are 7200s...