Cisco Flaw Opens Routers to Attack 109
Jack writes "Cisco is suffering from a serious flaw in its router operating system, which might allow execution of remote code: 'Cisco has warned of a new flaw in its IOS router operating system which might be used by attackers to launch denial of service attacks or take over IOS-based devices. The flaw causes to buffer overflow due to incorrect handling of user authentication credentials.'"
Re:defcon? (Score:4, Funny)
No, this is the only existing issue on Cisco brand routers.
The defcon attack isn't scheduled to exist until the patch is published in February.
Re:defcon? (Score:5, Funny)
Re:defcon? (Score:4, Funny)
Yes but then the dupe will be posted, so this will start all over again.
Re:defcon? (Score:1)
Maybe, just maybe this is the dupe!
Either no-one has told me.. or no-one knows!
Oh, Cisco! (Score:2)
The Cisco Advisory (Score:5, Informative)
Here's a link to the cisco advisory [cisco.com]
I noticed the linked article didn't have that link, and its viewable by the Internet public. Let's see how Cisco holds up to the mighty
Re:The Cisco Advisory (Score:2)
Well, so far so good.
Re:The Cisco Advisory (Score:1)
Re:The Cisco Advisory (Score:1)
For the full bore, whole hog, bull moose /. effect it's best to post these articles in the morning EST/EDT.
It would be amusing if of all presences on the internet, Cisco couldn't take it.
Coral Cache version (Score:2)
Advisory [nyud.net]
Re:Coral Cache version (Score:1)
Re:The Cisco Advisory (Score:1)
Re:The Cisco Advisory (Score:2)
Re:The Cisco Advisory (Score:3, Informative)
I've recently turned into a HUGE Juniper fanboy recently. I was already an HP Procurve fanboy after some Cisco catalyst issues. That and price per port/performance trounces Cisco.
In our situation, we had a vpn provider running a single Cisco 3030 concentrator.A maxed out 3030 costs around 25 or 30k and can support 500 nailed down tunnels with 50MB/s of encrypted throughput.
Meanwhi
Re:The Cisco Advisory (Score:1)
Re:The Cisco Advisory (Score:4, Insightful)
We're still human in theory at least, so mistakes will happen and in a piece of software that's *that* big, it's really easy to miss them.
Re:The Cisco Advisory (Score:1)
Products Confirmed Not Vulnerable
Products that are not running Cisco IOS are not affected
So linux is not affected. Happy?
Re:The Cisco Advisory (Score:5, Informative)
Re:The Cisco Advisory (Score:1)
Best Practices 101 (Score:4, Insightful)
If you can only auth from a known network, then an overrun in that auth process still requires access to a restricted location, which will stop 99% of attacks (which are usually automated these days).
Re:Best Practices 101 (Score:4, Informative)
This opens the whole somewhat (ie: it's open to an untrusted userbase by its nature), but the original point still stands as good general practices.
Re:Best Practices 101 (Score:2)
Re:Best Practices 101 (Score:1)
Slashdot sensationalism (Score:1)
Additionally, the referenced article on IT Observer is the editorial equivalent of a steaming pile of dog crap.
"Symantec has raised the vulnerability threat level and advised to disable firewall and authentication until their IOS is patched."
Not only is the
Re:Latest Viruses (Score:2, Interesting)
Sounds like your problem isn't the PC, Windows or your network, but your network practices. We're pretty
Re:Latest Viruses (Score:2)
Re:Latest Viruses (Score:2, Informative)
Re:Latest Viruses (Score:2)
Are VLANs out of style? (Score:2)
Thanks,
-AT
Re:Are VLANs out of style? (Score:1, Insightful)
Would you please describe your VLAN solution that prevents Windows clients from talking with each other on the netowrk while allowing them to talk to various servers. Please address how the solution scales to support implementaitons with tens of thousands of clients, as well. I'm geniounely curious.
Re:Are VLANs out of style? (Score:2, Insightful)
vlans don't inhibit broa
Re:Latest Viruses (Score:2)
What in the world does this have to do with a Cisco IOS vulnerability?
Dupe (Score:4, Funny)
Re: Dupe (Score:2)
> Dupe! Oh.... Nevermind, it seems like just yesterday a serious flaw was found in CISCO. I hope this doesn't become common place for CISCO
It's getting hard to tell when it's a dupe on Slashdot vs. when it's a dupe at Cisco.
Is this perhaps... (Score:3, Informative)
Re:Is this perhaps... (Score:2)
----
>>> Theology is like being in a dark room, looking for a black cat that isn't there and shouting "I found it!"
If it's a completely dark room. How do you know there is no cat in there? Of course randomly shouting "I found it!" is stupid. But just because someone finds the cat and you can't see it
HTH
Re:Is this perhaps... (Score:1)
If it's a completely dark room. How do you know there is no cat in there? Of course randomly shouting "I found it!" is stupid. But just because someone finds the cat and you can't see it
I completely agree. The onlooker normally is not able to decipher whether the finder actually found the cat or not, because the room is dark. And this room's darkness makes th
Re:Is this perhaps... (Score:2)
Re:Is this perhaps... (Score:1)
bullshit.
According to your thinking: If something looks like a duck, feels like a duck, quacks like a duck, behaves like a duck, and even smells like a duck, then
Re:Is this perhaps... (Score:2)
Re:Is this perhaps... (Score:1)
Isnt it your mind that is saying this?
Anyway, look at it this way.
Your trust in external senses more than mind lies in the fact that senses dont lie, while mind can imagine anything it wants to.
But, you will agree, that we are beings of the mind. "We" exist in the mind; we decide,
Re:Is this perhaps... (Score:2)
There's no evidence that this vulnerability is exploitable as anything other than a DoS, inflamatory headline notwithstanding.
is this the flaw Michael Lynn tried to tell about? (Score:3, Interesting)
Appeared a little over a month ago right here [slashdot.org]
Re:is this the flaw Michael Lynn tried to tell abo (Score:5, Informative)
Re:is this the flaw Michael Lynn tried to tell abo (Score:1)
Details and Mike Lynn (Score:5, Informative)
He could get into pretty much any Cisco router w/ his attack, whereas this proxy attack isn't going to affect anything on the global net.
Re:Details and Mike Lynn (Score:3, Informative)
Except all the routers not running IPV6.
Re:Details and Mike Lynn (Score:3, Informative)
Mike's attack was significant another front too -- getting an attack vector is one thing, actually using it is such a PITA that Jim Duncan of Cisco PSIRT (someone I know and highly respect) actually reacted with
Re:Details and Mike Lynn (Score:2)
And furthermore [cisco.com], the exploit only works if you can generate packets local to the router:
Re:Details and Mike Lynn (Score:3, Informative)
As for the link-local -- the point of Mike's attack wasn't that he could take out arbitrary hosts, it was that shellcode on IOS was possible. The nasty thing is, on 100% Cisco networks (go look up Cisco Powered Network), you break the first hop, then the next, then the next, then the next...everything is link local when every hop is vulnerable.
Re:Details and Mike Lynn (Score:2)
Small companies? (Score:1)
Re:Small companies? (Score:2)
It applies to most Cisco IOS-based equipment (Score:1)
Re:Small companies? (Score:4, Interesting)
The affected subsystem is not the firewall, but the authentication proxies for ftp and telnet. It is doubtful that those features are being used all that much.
The advisory also list a set of ACL that should suffice in most cases until a patch is issued.
If this was a problem in the firewall or ACL subsystem, it would be a bigger issue because many companies use them to place a reduced ruleset for all traffic that should be blocked in all directions like netbios, snmp, etc.
old news? (Score:1)
Re:old news? (Score:3, Informative)
Affected Versions (Score:5, Informative)
ip auth-proxy (Score:5, Informative)
If you are someone you know are running any of the following versions of code, please think of the baby seals and upgrade. That is all.
Devices that are running the following release trains of Cisco IOS are affected if Firewall Authentication Proxy for FTP and/or Telnet Sessions is configured and applied to an active interface.
12.2ZH and 12.2ZL based trains 12.3 based trains 12.3T based trains 12.4 based trains 12.4T based trains
sssshhhhh (Score:4, Funny)
if nobody knows, then nothing's wrong....
Re:sssshhhhh (Score:1)
Re:sssshhhhh (Score:2, Interesting)
Re:sssshhhhh (Score:2)
Re:sssshhhhh (Score:3, Funny)
if nobody knows, then nothing's wrong...
Excuse me sir, it's bad form for Cisco employees to post in this story.
Further... (Score:3, Interesting)
Re:Further... (Score:3, Insightful)
Cisco IOS Firewall Authentication Proxy (Score:5, Informative)
Summary
The Cisco IOS Firewall Authentication Proxy for FTP and/or Telnet Sessions feature in specific versions of Cisco IOS software is vulnerable to a remotely-exploitable buffer overflow condition.
Devices that do not support, or are not configured for Firewall Authentication Proxy for FTP and/or Telnet Services are not affected.
Devices configured with only Authentication Proxy for HTTP and/or HTTPS are not affected.
Only devices running certain versions of Cisco IOS® are affected.
Cisco has made free software available to address this vulnerability. There are workarounds available to mitigate the effects of the vulnerability.
This means that only equipment that is configured to act as an authenticatoin proxy for FTP and/or telent are affected.
I work with cisco equpment every day and this is not a normal service to have configured. This exploit probably isn't as big of a deal as its being made out to be. Just my 2 cents...
Re:Cisco IOS Firewall Authentication Proxy (Score:1)
Re:Cisco IOS Firewall Authentication Proxy (Score:2)
That headline really scared the crap out of me at first.
It's a Mitzvah (Score:3, Interesting)
It's a Mitzvah that this befalls Cisco. As previously mentioned here [slashdot.org], they have no trouble ruining the lives of those who attempt to help make a more secure world by improving their product.
A pox on their house.
It is allowed that hackers make worms that exploit Cisco hardware and disrupt the businesses of those who stupidly subsidize such misanthropic activities.
Re:It's a Mitzvah (Score:1, Interesting)
Re:doesn't bother me (Score:1)
Nobody to sue? (Score:2)
read between the lines (Score:3, Interesting)
It's a shame... (Score:1)
Use the hole to close itself up (Score:1)
When I'm up against a serious bug, remote code execution for instance, I write a test case to consistently reproduce it. I do a full analysis on the affected code and any dependencies. Before I fix the problem, I know everything abo
I blame it on... (Score:3, Funny)
And it wouldn't be a bad thing
But I don't get no packets
And thats no lie
We spent the night in Cisco
At every kind of distro
From that night I kissed
Our data goodbye
Chorus:
Don't blame it on sunshine
Don't blame it on moonlight
Don't blame it on good times
Blame it on the router
Don't blame it on sunshine
Don't blame it on moonlight
Don't blame it on good times
Blame it on the router
The nasty virus bugs me
But somehow it has drugged me
Outbound ports get me
On my feet
I've changed my life completely
I've seen the data leave me
My baby just can't take
Her PCs offline
Chorus:
Don't blame it on sunshine
Don't blame it on moonlight
Don't blame it on good times
Blame it on the router
I just can't
I just can't
I just can't control my ports...
The Best Part About the Article (Score:2)
Sure, I'll get right on disabling my firewall so the world can take over the even more insecure [unfortunate] 95% Windows network at my work.
Re:My complaint about Cisco... (Score:2)
I'll pray for you... (Score:2)