Slashdot Mirror

← Back to Stories (view on slashdot.org)

Major Flaw Found In Cisco IOS Devices

Posted by simoniker on from the uh-oh-spaghettios dept.

Joff_NZ writes "CERT has released an advisory regarding a serious flaw in all Cisco routers and switches which run IOS and process IPv4 packets (i.e. pretty much everything), which causes the device to stop processing inbound packets, and so: 'The device must be rebooted to clear the input queue on the interface, and will not reload without user intervention.' There are apparently no known exploits (yet), and Cisco have this advisory with a workaround and available fixes."

16 of 266 comments (clear)

  1. Yet... by jerw134 · · Score: 5, Insightful

    There are apparently no known exploits (yet)

    I say we start a pool on how long yet will actually be, now that CERT released the info.

    1. Re:Yet... by jamesh · · Score: 3, Insightful

      I couldn't glean from the article exactly what packet would cause the failure. The ACL that was given as a workaround permitted typical protocols (eg tcp, udp, icmp, etc) and blocked the rest. Presumably somewhere in 'the rest' lies the exploit but it's a big space to search.

  2. Re:Disclosure of vulnerabilities by eskimoboy · · Score: 5, Insightful

    Sometimes, it's in the best interest of the public to have vulnerability information released directly when it is found out. It opens up the ability for hackers to create exploits before the manufacturers have a chance to find a way to stop it. Sure, releasing information on vulnerabilities for open source projects right away is usually a good idea, but that's due to the fact that with an open source project, the public has the ability to come up with a patch. In cases like these, perhaps it is best for the public to be left out until a proper solution or workaround has been developed by the vendors.

  3. At least it won't worm. by Valar · · Score: 5, Insightful

    At least it only freezes the device. If you could make it send the same packet to some of it's router buddies, then freeze, this could get real bad, real fast.

    --

    ====
    Crudely Drawn Games
  4. Re:and no posting of the exploit code? by Anonymous Coward · · Score: 1, Insightful

    well if you could really lock out every path that had an unpatched ios box in it that would firmly be upgraded from a 'nuisance dos' to a 'really fucking huge the internet is closed right now dos' At least if it was the payload in a worm that could spread well. Considering theres no autopatcher for ios and the boxes are often tucked away in a closet and forgotten, I bet the first guy who puts this one out in the wild could hit the vast majority even if its months from now. I am sure core backhaul providers will be patched quickly but what good is a backbone if every destination goes out.

  5. Odds Of Resulting Problems? by rsmith-mac · · Score: 2, Insightful

    With this exploit now out there(at least in theory anyway), I guess the question now becomes what can we expect from it. Assuming that a black-hat or someone else of an infamous nature figures out this exploit, what are the ramficiations that we can expect? Obviously, many routers are owned and run by compotent admins, but with all the Cisco routers out there, it's niaeve to believe that all of the routers will be fixed before someone exploits this. Given that, what does everyone suppose will happen to the internet as a whole? The core routers will most likely be fixed ASAP, but there's always the problem of the "oopps, I forgot that one" router. Will this exploit become the ever-lasting Code Red(in terms of network problems), or will its threat blow over just like Code Red?

    1. Re:Odds Of Resulting Problems? by Anonymous Coward · · Score: 1, Insightful

      ... with all the Cisco routers out there ...

      It gets worse: this affects a lot of Cisco's switches too. And nobody pays attention to the switches until they break...

  6. duh by blosphere · · Score: 2, Insightful

    Well, I can safely predict that alot of the 12xxx routers are going to reload/have reloaded already. At least if you don't have a Juniper sitting on your core, you most likely have 12xxx series one. And try to apply an acl on their interfaces... bye bye router :)

  7. Yes it is by forged · · Score: 5, Insightful
    Actually, the proposed workaround works very well (it wouldn't be a workaround otherwise).

    Don't misunderstand traffic going THROUGH the router with traffic directed TO the router. You probably want to control the latter because as a good netadmin you should know that this is good practise.

  8. Re:and no posting of the exploit code? by afidel · · Score: 2, Insightful

    No autopatchers for IOS, what the hell do you call CiscoWorks??? Just tell it all devices of type X should be on IOS version Y and it updates em.

    --
    There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
  9. Re:It's days like this... by TheMidget · · Score: 2, Insightful
    It's days like this I'm REALLY glad that I'm a unemployyed network engineer! This looks like a very serious headache!

    ... and since you're unemployed, this now more looks like an opportunity ;-)

  10. Re:This has been discussed...... by Florian+Weimer · · Score: 2, Insightful

    At the moment, the impact of this defect is downtime because of hasty emergency router maintaince.

  11. No Exploits? by grimani · · Score: 4, Insightful

    What does "no exploits" mean?

    No script kiddy tool for it yet?
    Nobody's used it yet to take down routers?

    Because the security advisory sure sounds like it's discovered an "exploit" on Cisco IOS routers to me.

    Any self respecting coder can whip up something homemade to take advantage of the issue.

    Is "no exploits" yet supposed to make us feel safer?

    If a security hole is there, it's vulnerable. Calling it "unexploited for now" is just misleading and confusing.

  12. homogeneous networks by martin · · Score: 4, Insightful

    Now let us step back a little.

    IF this had happened to our friends at Redmond (what do you mean 'if' :-) then we'd all be crying about how homogeneous networks/OS's etc are bad for security.

    Now it's happened to a vendor with probably more pieces of kit attached to the public internet than anyone else (by a long chalk IMHO).

    Do we cry, bad Cisco bad, no we just look at all the poor network admins who will get no sleep for the next 2 days....

    Perhaps NOW people wil start looking at alternatives to Cisco.

    Don't get me wrong I love Cisco kit, but I think the risk of Cisco everywhere is just about to hit home...

  13. Re:and no posting of the exploit code? by Cramer · · Score: 2, Insightful

    Somehow, I cannot see people paying 10,000$ for Ciscoworks just to upgrade all their routers at once. And judging from the way most of CW "works" I don't f***kin' trust it to muck with flash and reboot routers.

  14. Re:Just got this from Internap: by frankie · · Score: 2, Insightful
    Flirzan, just wondering, why do you host with Internap? Are you a spammer?