Slashdot Mirror

← Back to Stories (view on slashdot.org)

Major Flaw Found In Cisco IOS Devices

Posted by simoniker on from the uh-oh-spaghettios dept.

Joff_NZ writes "CERT has released an advisory regarding a serious flaw in all Cisco routers and switches which run IOS and process IPv4 packets (i.e. pretty much everything), which causes the device to stop processing inbound packets, and so: 'The device must be rebooted to clear the input queue on the interface, and will not reload without user intervention.' There are apparently no known exploits (yet), and Cisco have this advisory with a workaround and available fixes."

14 of 266 comments (clear)

  1. Can you say RUSH JOB?!? by Grizzletooth · · Score: 2, Informative

    It is nearly midnite on the left coast and the updates for this bug are still not available for download.

    Also interesting to note is that the top of the Cisco Advisory had a release date of 7/17 00:00 GMT. But the bottom said that it would not be published to the public until 7/17 21:00 GMT.

    Why the release 21 hours ahead of schedule? Especially since you can't d/l the patches!!

  2. Re:Yikes... by Grizzletooth · · Score: 5, Informative

    No, the advisory states that non-contract customers can send an email to tac@cisco.com and get access to a "free upgrade".

  3. Re:At least it won't worm. by Valar · · Score: 2, Informative

    Yeah, but that just means that it can take out networks behind targetted routers, that doesn't mean it can self propagate, Great Worm style. Sysadmins should already be doing their best to mask the type of routing and switching eq they use (which would minimize the possibility of sucessful scans). So far, this exploit can only propagate down the tree, not sideways.

    --

    ====
    Crudely Drawn Games
  4. Re:Whoa, very interesting!! by MrMickS · · Score: 4, Informative

    Cisco Cable Modems run a version of IOS. However they have private IP addresses on the cable side and pass thru the DHCP requests that your device(s) make to the providers DHCP server. Unless your cable provider's network has been compromised I doubt that this is related to your problem.

    --
    You may think me a tired, old, cynic. I'd have to disagree about the tired bit.
  5. Re:This has been discussed...... by namelessone99 · · Score: 2, Informative

    Check out this for a full listing of the sprint maintenances. They are upgrading every router across the globe!

  6. Just got this from Internap: by flirzan · · Score: 5, Informative

    To all Internap customers:

    Cisco Systems has released to the public notification of a vulnerability
    in many versions of Cisco IOS which can create a Denial of Service on an
    affected router. The details of the advisory can be viewed at the
    following link:

    http://www.cisco.com/warp/public/707/cisco-sa-20 03 0717-blocked.shtml

    No exploits which target this vulnerability have yet been identified.

    Prior to the public notification, Cisco had contacted their major NSP
    customers including Internap to inform us of this vulnerability. Internap
    has identified IOS versions with the appropriate fix for the platforms in
    our network and scheduled upgrades to our routers. Customers will receive
    notification shortly of the window in which the routers you are homed to
    will be upgraded. Due to the severity of this vulnerability these
    upgrades are being performed as emergency maintenance.

    Customers with questions about the possible impact of this vulnerability on
    their own equipment are urged to read the notice at the link above or to
    contact Cisco directly.

    --
    Twinkies sure taste good for something that is 68% air.
  7. Re:There ARE exploits in the wild by forged · · Score: 3, Informative
    You don't understand: this isn't a DOS attack that Cisco is warning about.

    Once the input queue is full of said packets, the router doesn't accept any more packets, then CPU utilization drops at 0% while the router idles waiting for more apckets (which of course never arrive once the device is blocked).

  8. Interesting.... by slayer99 · · Score: 3, Informative

    "Obtaining Fixed Software

    Customers with contracts should obtain upgraded software free of charge through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on the Cisco worldwide website at http://www.cisco.com/tacpage/sw-center/sw-ios.shtm l.

    Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for assistance with obtaining the free software upgrade(s).

    Customers who purchase direct from Cisco but who do not hold a Cisco service contract and customers who purchase through third-party vendors but are unsuccessful at obtaining fixed software through their point of sale should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows.

    +1 800 553 2447 (toll free from within North America)

    +1 408 526 7209 (toll call from anywhere in the world)

    e-mail: tac@cisco.com"

    So, if I understand this correctly, if you've given Cisco money for hardware _and_ given Cisco money for a support contract, only then can you get hold of the fix. Neat.

    --
    Martin Brooks / Slayer99 #linux / UIN 2178117
    1. Re:Interesting.... by ckan · · Score: 3, Informative

      I had previously called tac@cisco.com for security patches for our Cisco devices not covered by any service contract. The response was quick, and the quality of service was very high. I got the patches I wanted very quickly without paying a cent! It was really a good experience.

  9. Re:There ARE exploits in the wild by Florian+Weimer · · Score: 3, Informative

    According to Cisco, high CPU utilization is not a result of the present defect.

    The ISP was probably experiencing an ordinary DoS attack.

  10. Re:It's days like this... by Zapman · · Score: 2, Informative

    1) If you have 56 internet facing DNS servers, it might be time to re-visit your design (with the possible exception of very large ISP's). Given BIND's history of security flaws, minimizing exposure is key.

    2) With that many servers, if you're not doing it with package management (solaris pkgadd, rpm, deb, hp..., AIX..., etc... all of them have at least a rudimentry package management tool, even if it's tar), you might want to re-visit your design.

    3) Deploying BIND without some forthought is going to get companies in trouble. If you can't be bothered, you really should just use DJB's DNS cache and DNS server.

    --
    Zapman
  11. Re:Yet... by Anonymous Coward · · Score: 5, Informative

    ok folks, here's how it works. A specially crafted packet is sent to an interface on a router. This packet takes up space in the queue on the interface. Once a few of these packets fill up that queue no more traffic is able to pass thru the interface. You won't see a high utilization on the CPU, it'll just throw'em away. It's important to understand that the packet has to be directed to the interface on the router, not just merely passing through it. After the queue fills up (around 4k I'm thinking)the only way to empty it is to reload, if I'm reading correctly. From what I can tell, the large back bones got the notice a few days ago. Some lower tier players received it yesterday. And public disclosure supposed to happen tonite around 21:00 EDT or so. However, several major internet players all of a sudden performing emergency maintenance, was a bit obvious. Especially when companies known to employ lots of Juniper didn't seem to do much. Well, guess it wasn't that OBVIOUS, but...net-eng people are worse than a small town knitting group.

  12. Re:What about PIX firewalls? by MadHungarian1917 · · Score: 2, Informative

    PIX Firewalls actually run a OS called Finesse. It used to look a lot less IOS like than it does today. They do not appear to be vulnerable at this time

  13. Re:7200 Series Only! by YetAnotherDave · · Score: 2, Informative
    Um, I beg to differ. The title seems pretty misleading, if you actually read the text...

    Affected Products This issue affects all Cisco devices running Cisco IOS software and configured to process Internet Protocol version 4 (IPv4) packets. Cisco devices which do not run Cisco IOS software are not affected. Devices which run only Internet Protocol version 6 (IPv6) are not affected.

    Tho I realy wish you were correct, since none of the (many) cisco devices in my net are 7200s...