Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security The Internet Networking IT

Cisco Flaw Opens Routers to Attack 109

Jack writes "Cisco is suffering from a serious flaw in its router operating system, which might allow execution of remote code: 'Cisco has warned of a new flaw in its IOS router operating system which might be used by attackers to launch denial of service attacks or take over IOS-based devices. The flaw causes to buffer overflow due to incorrect handling of user authentication credentials.'"
This discussion has been archived. No new comments can be posted.

Cisco Flaw Opens Routers to Attack

Comments Filter:
  • The Cisco Advisory (Score:5, Informative)

    by MECC ( 8478 ) * on Thursday September 08, 2005 @05:52PM (#13513851)

    Here's a link to the cisco advisory [cisco.com]
    I noticed the linked article didn't have that link, and its viewable by the Internet public. Let's see how Cisco holds up to the mighty /. effect.
  • Best Practices 101 (Score:4, Insightful)

    by b0r1s ( 170449 ) on Thursday September 08, 2005 @05:53PM (#13513857) Homepage
    It's been pretty standard to ACL off authentication methods from unknown or untrusted networks for some time.

    If you can only auth from a known network, then an overrun in that auth process still requires access to a restricted location, which will stop 99% of attacks (which are usually automated these days).
    • by b0r1s ( 170449 ) on Thursday September 08, 2005 @06:02PM (#13513903) Homepage
      After reading advisory, this actually isn't a hole in the IOS authentication, but in the proxy authentication for FTP and Telnet.

      This opens the whole somewhat (ie: it's open to an untrusted userbase by its nature), but the original point still stands as good general practices.


      The Cisco IOS Firewall Authentication Proxy for FTP and/or Telnet Sessions feature in specific versions of Cisco IOS software is vulnerable to a remotely-exploitable buffer overflow condition.

      Devices that do not support, or are not configured for Firewall Authentication Proxy for FTP and/or Telnet Services are not affected.

      Devices configured with only Authentication Proxy for HTTP and/or HTTPS are not affected.
      • The key statement there is "and/or Telnet Services". Almost every single Cisco router I have seen is running telnet. Lots of people are still using 12.2 though.
      • I can't believe this article is getting this level of attention. After reading the advisory on Cisco.com (BTW, not linked to the article) I agree it's a serious flaw in IOS/FW, but there's probably less than 50 sites in the whole world using this feature.

        Additionally, the referenced article on IT Observer is the editorial equivalent of a steaming pile of dog crap.

        "Symantec has raised the vulnerability threat level and advised to disable firewall and authentication until their IOS is patched."

        Not only is the
  • Dupe (Score:4, Funny)

    by Namronorman ( 901664 ) on Thursday September 08, 2005 @05:56PM (#13513874)
    Dupe! Oh.... Nevermind, it seems like just yesterday a serious flaw was found in CISCO. I hope this doesn't become common place for CISCO

    • > Dupe! Oh.... Nevermind, it seems like just yesterday a serious flaw was found in CISCO. I hope this doesn't become common place for CISCO

      It's getting hard to tell when it's a dupe on Slashdot vs. when it's a dupe at Cisco.

  • Is this perhaps... (Score:3, Informative)

    by max99ted ( 192208 ) on Thursday September 08, 2005 @05:58PM (#13513883)
    • Yes I guess it could be related to that dudes exploits.

      ----

      >>> Theology is like being in a dark room, looking for a black cat that isn't there and shouting "I found it!"

      If it's a completely dark room. How do you know there is no cat in there? Of course randomly shouting "I found it!" is stupid. But just because someone finds the cat and you can't see it ... that doesn't mean it's not there.

      HTH
      • > Theology is like being in a dark room, looking for a black cat that isn't there and shouting "I found it!"

        If it's a completely dark room. How do you know there is no cat in there? Of course randomly shouting "I found it!" is stupid. But just because someone finds the cat and you can't see it ... that doesn't mean it's not there.

        I completely agree. The onlooker normally is not able to decipher whether the finder actually found the cat or not, because the room is dark. And this room's darkness makes th
        • Unfortunately, even the person finding the cat can never sure he actually found it, no matter how much he claims so.
          • Unfortunately, even the person finding the cat can never sure he actually found it, no matter how much he claims so.

            bullshit.
            According to your thinking: If something looks like a duck, feels like a duck, quacks like a duck, behaves like a duck, and even smells like a duck, then ... we still can never be fully 100% sure it's truly a duck.
            • Exactly. Just because your external senses tell you something, doesn't mean you can always trust them. And with God, no external sense will tell you anything, it's all in your own mind. Do you trust your own brain to be infallible?
              • Exactly. Just because your external senses tell you something, doesn't mean you can always trust them. And with God, no external sense will tell you anything, it's all in your own mind. Do you trust your own brain to be infallible?

                Isnt it your mind that is saying this?

                Anyway, look at it this way.

                Your trust in external senses more than mind lies in the fact that senses dont lie, while mind can imagine anything it wants to.

                But, you will agree, that we are beings of the mind. "We" exist in the mind; we decide,
    • Probably not related, other than Lynn's findings explain the obviously cya statement "and potentially an arbitrary code execution attack". which is normally not in their security advisories.

      There's no evidence that this vulnerability is exploitable as anything other than a DoS, inflamatory headline notwithstanding.
  • by Gruturo ( 141223 ) on Thursday September 08, 2005 @05:59PM (#13513891)
    Is this the flaw Cisco was trying to keep secret and that caused Michael Lynn to resign his job in order to be free to speak about?

    Appeared a little over a month ago right here [slashdot.org]
    • by LarsG ( 31008 ) on Thursday September 08, 2005 @06:27PM (#13514019) Journal
      Lynn's presentation wasn't about any specific vulnerability (I think he did mention one vulnerability, which was patched some time before the presentation). It was generally thought that most Cisco vulnerabilities could only hang or reboot IOS. Lynn showed that you could inject code. Which makes vulnerabilities like this one a lot more dangerous, as an attacker can Own the router instead of just crashing it.

    • by Effugas ( 2378 ) * on Thursday September 08, 2005 @06:54PM (#13514233) Homepage
      No. Mike's "first cut" was against the link-local IPv6 parser (a fact not disclosed publically by Mike, but by Cisco). Once in, he actually figured out how to execute arbitrary code -- something way harder than even Mike's slides describe.

      He could get into pretty much any Cisco router w/ his attack, whereas this proxy attack isn't going to affect anything on the global net.

      • He could get into pretty much any Cisco router w/ his attack...

        Except all the routers not running IPV6.
        • by Effugas ( 2378 ) *
          Active by default.

          Mike's attack was significant another front too -- getting an attack vector is one thing, actually using it is such a PITA that Jim Duncan of Cisco PSIRT (someone I know and highly respect) actually reacted with ... ahem ... "unexpectedly strong disbelief" when Mike said he could exploit the box using what he'd found.
          • No, it isn't [cisco.com]:

            Defaults

            IPv6 unicast routing is disabled.

            And furthermore [cisco.com], the exploit only works if you can generate packets local to the router:

            Summary

            Cisco Internetwork Operating System (IOS®) Software is vulnerable to a Denial of Service (DoS) and potentially an arbitrary code execution attack from a specifically crafted IPv6 packet. The packet must be sent from a local network segment. Only devices that have been explicitly configured to process IPv6 traffic are affected. Upon successful exploitation,

            • by Effugas ( 2378 ) *
              Routing is disabled. Doesn't mean the box doesn't parse IPv6 before trashing 'em.

              As for the link-local -- the point of Mike's attack wasn't that he could take out arbitrary hosts, it was that shellcode on IOS was possible. The nasty thing is, on 100% Cisco networks (go look up Cisco Powered Network), you break the first hop, then the next, then the next, then the next...everything is link local when every hop is vulnerable.
              • The Cisco advisory for the link-local parser vulnerability states very clearly that if IPV6 routing is turned off, the router is not vulnerable. I even pasted that part of the advisory into the message you are replying to. Have you not read the advisory, or do you have evidence that it's wrong? If it's wrong, a lot of people would be interested in seeing it, since most people who aren't running IPV6 haven't patched for this vulnerability. I guess whoever modded your post informative has access to this s
  • Does this mainly just impact smaller companies? I'm not sure if major corporations use routers with the firewall feature set, rather a true firewall instead. If that's the case, there shouldn't be huge consequences for this. I doubt small companies that would use the firewall feature set are hacker targets as much as the larger corps are.
    • Any internet connected device with a vulnerability is a hacker target. At the least a rooted router can be used to hide the true source of attacks against more interesting targets. A router is much preferable to a desktop for this purpose as it's already designed to do this. Also a router is likely to have a fast, stable connection.
    • And so, if you have an IOS object, it might be a good idea to read the advisory, that is, if your network is still up.
    • Re:Small companies? (Score:4, Interesting)

      by hal9000(jr) ( 316943 ) on Thursday September 08, 2005 @06:45PM (#13514134)
      Read the advisory [cisco.com].
      The affected subsystem is not the firewall, but the authentication proxies for ftp and telnet. It is doubtful that those features are being used all that much.
      The advisory also list a set of ACL that should suffice in most cases until a patch is issued.
      If this was a problem in the firewall or ACL subsystem, it would be a bigger issue because many companies use them to place a reduced ruleset for all traffic that should be blocked in all directions like netbios, snmp, etc.
  • i think i remeber reading about the guy that broke this at a confrence a few months back...
    • Re:old news? (Score:3, Informative)

      by jd ( 1658 )
      I think that was the IPv6 routing bug, which allowed programs to be remotely run, which Cisco admitted to shortly after.
  • Affected Versions (Score:5, Informative)

    by gulfan ( 524955 ) on Thursday September 08, 2005 @06:04PM (#13513922)
    Affected versions include IOS 12.2ZH, IOS 12.2ZL, IOS 12.3, IOS 12.3T, IOS 12.4 and IOS 12.4T. IOS versions that are not vulnerable are IOS XR and IOS versions 12.2 and earlier, including 12.0S. This shouldn't be a problem for those Network Administrators that created access control lists for modifications for the router, however Cisco has issued a patch [cisco.com].
  • ip auth-proxy (Score:5, Informative)

    by ctime ( 755868 ) on Thursday September 08, 2005 @06:08PM (#13513939)
    The bug effects systems running ip auth-proxy , I feel bad for anyone that has to run it. I played with it a bit while experimenting wireless security schemes and I found it to be useless (to be fair it wasn't designed for it, either)

    If you are someone you know are running any of the following versions of code, please think of the baby seals and upgrade. That is all.

    Devices that are running the following release trains of Cisco IOS are affected if Firewall Authentication Proxy for FTP and/or Telnet Sessions is configured and applied to an active interface.
    12.2ZH and 12.2ZL based trains 12.3 based trains 12.3T based trains 12.4 based trains 12.4T based trains

  • sssshhhhh (Score:4, Funny)

    by jshaped ( 899227 ) on Thursday September 08, 2005 @06:18PM (#13513977)
    quiet everbody....
    if nobody knows, then nothing's wrong....

  • Further... (Score:3, Interesting)

    by burtdub ( 903121 ) on Thursday September 08, 2005 @06:21PM (#13513991)
    A Crisco flaw has left the routers open to deep pan frying.
    • Re:Further... (Score:3, Insightful)

      I have a close friend who worked at Cisco for a while. The company had massive layoffs in 2001, followed by countless little series of layoffs in 2002, 2003. Tons of good engineers were supposedly let go. You wonder if the lack of engineering resources is beginning to catch up with them. All these years in the trenches shorthanded will leave the product more vulnerable than ever.

  • by RaZ0r ( 145723 ) on Thursday September 08, 2005 @06:26PM (#13514013) Homepage
    article text
    Summary

    The Cisco IOS Firewall Authentication Proxy for FTP and/or Telnet Sessions feature in specific versions of Cisco IOS software is vulnerable to a remotely-exploitable buffer overflow condition.

    Devices that do not support, or are not configured for Firewall Authentication Proxy for FTP and/or Telnet Services are not affected.

    Devices configured with only Authentication Proxy for HTTP and/or HTTPS are not affected.

    Only devices running certain versions of Cisco IOS® are affected.

    Cisco has made free software available to address this vulnerability. There are workarounds available to mitigate the effects of the vulnerability.


    This means that only equipment that is configured to act as an authenticatoin proxy for FTP and/or telent are affected.

    I work with cisco equpment every day and this is not a normal service to have configured. This exploit probably isn't as big of a deal as its being made out to be. Just my 2 cents...
  • It's a Mitzvah (Score:3, Interesting)

    by putko ( 753330 ) on Thursday September 08, 2005 @07:16PM (#13514413) Homepage Journal
    This SHOULD happen.

    It's a Mitzvah that this befalls Cisco. As previously mentioned here [slashdot.org], they have no trouble ruining the lives of those who attempt to help make a more secure world by improving their product.

    A pox on their house.

    It is allowed that hackers make worms that exploit Cisco hardware and disrupt the businesses of those who stupidly subsidize such misanthropic activities.
    • Re:It's a Mitzvah (Score:1, Interesting)

      by Anonymous Coward
      You do realize that the post you just made probably had to pass through a Cisco router before it arrived here, right?

  • What I'd like to know is who Cisco is going to sue over this bug... ;-)
  • by timmarhy ( 659436 ) on Thursday September 08, 2005 @11:33PM (#13515980)
    look at the hidden meaning here. cisco censor a security researcher, and now they have a new vunerability on their hands. get ready for an avalanche of these has angry hackers make an example of cisco.
  • What a pity that Think Geek stopped selling those "I am Enabled" shirts. Sounds like the market for those is about to increase... ;-)
  • Since a vulnerability exists that lets you run remote code, why not make use of that vulnerability to patch itself? It's almost elegant if you think about it... a problem that becomes the solution to end itself. Under the right circumstances, this isn't an impossible thing to do.

    When I'm up against a serious bug, remote code execution for instance, I write a test case to consistently reproduce it. I do a full analysis on the affected code and any dependencies. Before I fix the problem, I know everything abo
  • by Andy_R ( 114137 ) on Friday September 09, 2005 @05:42AM (#13517416) Homepage Journal
    My leds are always flashn'
    And it wouldn't be a bad thing
    But I don't get no packets
    And thats no lie

    We spent the night in Cisco
    At every kind of distro
    From that night I kissed
    Our data goodbye

    Chorus:
    Don't blame it on sunshine
    Don't blame it on moonlight
    Don't blame it on good times
    Blame it on the router

    Don't blame it on sunshine
    Don't blame it on moonlight
    Don't blame it on good times
    Blame it on the router

    The nasty virus bugs me
    But somehow it has drugged me
    Outbound ports get me
    On my feet

    I've changed my life completely
    I've seen the data leave me
    My baby just can't take
    Her PCs offline

    Chorus:
    Don't blame it on sunshine
    Don't blame it on moonlight
    Don't blame it on good times
    Blame it on the router

    I just can't
    I just can't
    I just can't control my ports...
  • Symantec has raised the vulnerability threat level and advised to disable firewall and authentication until their IOS is patched."

    Sure, I'll get right on disabling my firewall so the world can take over the even more insecure [unfortunate] 95% Windows network at my work.

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...