Slashdot Mirror

← Back to Stories (view on slashdot.org)

Major Flaw Found In Cisco IOS Devices

Posted by simoniker on from the uh-oh-spaghettios dept.

Joff_NZ writes "CERT has released an advisory regarding a serious flaw in all Cisco routers and switches which run IOS and process IPv4 packets (i.e. pretty much everything), which causes the device to stop processing inbound packets, and so: 'The device must be rebooted to clear the input queue on the interface, and will not reload without user intervention.' There are apparently no known exploits (yet), and Cisco have this advisory with a workaround and available fixes."

16 of 266 comments (clear)

  1. and no posting of the exploit code? by Anonymous Coward · · Score: 2, Interesting

    hmm... the cisco page shows up as 50 pages of text in lynx, with the first 20 being useful.

    a four-hour timeout for IP-4 packets and you can do it
    remotely to almost ANY cisco device except those that are run as purely IP-v6. Seems more like a nuisance DOS exploit and hope not to see it.

  2. Whoa, very interesting!! by Anonymous Coward · · Score: 3, Interesting
    CERT has released an advisory regarding a serious flaw in all Cisco routers and switches which run IOS and process IPv4 packets (i.e. pretty much everything), which causes the device to stop processing inbound packets, and so: 'The device must be rebooted to clear the input queue on the interface, and will not reload without user intervention.' There are apparently no known exploits (yet)
    I wouldn't be so sure of that. A couple of days ago, my cable modem (and others in the area) started having problems where the connection randomly drops and it takes awhile to get it back. As if maybe a router somewhere has gone down and needs rebooted..

    If I fire up Ethereal to peek at the traffic, I notice that the arp who-has requests are labeled with a source of "cisco_f2" ...

    Wonder if someone has been pointing this sploit at cablemodem routers ??
  3. Re:It's days like this... by rf0 · · Score: 4, Interesting

    I remeber the day Bind 8.2.2-P5 had an exploit come live. 24 hours and 56 servers later I finally managed to get to bed. Only to have to upgrade it all again a few days later.

    fun

    Rus

    --
    Cheap UK and US VPS
  4. No Exploits My A$$ by Anonymous Coward · · Score: 5, Interesting

    AT&T has been having problems all over the west coast the last 4 days. Ill bet even money this is why. There last 2 emails state they had no clue what was causing it and that random reboot's of routers were to be expected.

    Im not Anonymous, Just Lazy.
    Crackers`n`Soup

  5. The ACL "fix" is not a fix by jgaynor · · Score: 5, Interesting

    Here's the reccomendation for a temporary workaround using ACls:

    Cisco recommends that all IOS devices which process IPv4 packets be configured to block traffic directed to the router from any unauthorized source with the use of Access Control Lists (ACLs). Legitimate traffic is defined as management protocols such as telnet, snmp or ssh, and configured routing protocols from explicitly allowed peers. All other traffic destined to the device should be blocked at the input interface.

    Does "A rare sequence of crafted IPv4 packets sent directly to the device" mean a sequence utilizing one of these three protocols? If so then frigging tell us! If not, this is just a vague precautionary warning that really won't stop any user inside the network from exploiting the bug.

    The TRUE details of the bug, including which protocol it uses, would help us put a nail in the coffin regarding the ACL workaround, but the Cisco bug tool isn't returning any information for the bugs they're talking about - specifically CSCea02355 and CSCdz71127.

  6. There ARE exploits in the wild by Anonymous Coward · · Score: 5, Interesting

    The claim that there are no exploits is false.

    Below is a note I received from my ISP about 2 hours before this was topic posted:

    =-=-=-=-=-=-=-=-=-=-=

    17/07/03 01.12 - 01.38 DOS Attack on Sydney PoPs

    Incident

    A DoS attack against the AN border router resulted in that router's CPU reaching 100% and triggering the same attack on the Perth gateway router which in turn brought down the Comindico Border router

    Action

    While all of the hardware remained 'up' nothing could be authenticated and therefore all traffic through the Sydney PoP ceased.

    Resolution

    Swiftel Engineering rebooted the Perth Gateway router clearing the DoS packets and that in turn allowed the Sydney routers to rebuild the BGP4 tables thus restoring the ability to process customer traffic.

    Result

    By 1.38 pm all traffic was flowing normally.

    Future Elimination Of This Problem

    The elimination of this type of new DoS attack has just been recognised and released by Cisco (today) and the workaround and fixes are documented in:

    http://www.cisco.com/warp/public/707/cisco-sa-20 03 0717-blocked.shtml

    We are considering whether to implement the workarounds which may impact traffic such as ICQ and some games or upgrade the IOS's in all of our Cisco equipment.

    We will inform you when that decision is made.

  7. Re:Yet... by Gogo+Dodo · · Score: 1, Interesting
    You forgot the bigger picture of her.

    Ehh... she's probably making more money than both of us.

  8. wow by revmoo · · Score: 3, Interesting

    Sounds pretty bad.

    I got this email earlier:

    Special Emergency Service Affecting Maintenance Dear Cogent Customer, With this message, we are notifying you of a special, emergency maintenance that will affect your service beginning at 3:00 a.m. tomorrow, Thursday July 17. The service outage you will experience is expected to be ten minutes or less. Cogent Communications takes very seriously its responsibility for maintaining a robust, well-performing network, and only due to extreme circumstances would we ask your indulgence for an emergency maintenance of this type. Please be assured that Cogent engineers will do everything possible to minimize your down time and its associated inconvenience. If you have any problems with your connection after this maintenance is complete, or if you have any questions regarding the maintenance at any point, please call Customer Service at 1-877-7COGENT and use this work order number: XXXXXX. We sincerely appreciate your patience and welcome any feedback. We apologize for the short notice.

    Thank you for being a Cogent customer.

    Sincerely,
    Customer Support
    Cogent Communications

    And was wondering what was up. Been hearing about a lot of router issues from various people. Lets hope this gets wrapped up quickly.

    --
    I would expect such blatant racism on Fark, but on Slashdot? Mods please ban this asshole.
  9. This has been discussed...... by flirzan · · Score: 5, Interesting

    ...on NANOG most of the day today. It looks like Cisco discovered the vulnerability in their own testing, notified major backbone providers (AT&T, Qwest, Sprint, L3, etc), who then scheduled emergency maintenance, which in turn tipped off savvy network engineers all over the place, who started wondering what was up, which in turn generated enough interest that bits and pieces leaked, and I bet Cisco figured better to release the advisory now and end the speculation than to wait till tomorrow. As for the "no exploit available", I had a router with an uptime of many many moons hang for no apparent reason tonight...while working on that I found the cisco advisory in my inbox. Could be a coincidence, but it's a strange one.

    --
    Twinkies sure taste good for something that is 68% air.
  10. Comcast has been having problems all day... by SlashChick · · Score: 4, Interesting

    I'm in the Bay Area, and my Comcast (formerly ATTBI) cable modem connection has been having issues all day. This router kept crashing earlier today:

    tbr1-p013601.sffca.ip.att.net [12.122.11.77] (hop #6 after my cable modem)

    I have no idea what the problem is or whether it's related to this exploit, but it really stinks to have the connection continually crash. I actually haven't had problems in the last few months... until today. I hope this isn't a harbinger of things to come...

    --
    Simpli - Your source for San Jose dedicated servers and colocation!
  11. Will Homeland Security have kept it under wraps?? by Anonymous Coward · · Score: 5, Interesting

    What I really wonder wonder about is whether the vulnerability has been kept under wrap by the the Department of Homeland Security, just like they did with the Sendmail vulnerability of a short while ago, which was kept from the world for a couple of weeks. The US-military had at least a full week maintenance time before the rest of the world got it.

    As a non-american I found this quite disturbing, since certainly with the Sendmail vulnerability, there was a risk of this being exploited by the US-governement against foreign nations. NOw, I know I am just being paranoid, but it does freak me if this would become standard operating procedure: 1. Vulnerability discovered 2. US government given ample time to protect itself 3. US government makes use of vulnerability 4. Us gov releases it to friendly nations 5. You get notified.

  12. Are CBOS Devices Vulnerable? by Anonymous Coward · · Score: 2, Interesting

    Sorry if this is a dumb question, but are DSL and other broadband router devices running CBOS 2.x.x such as Cisco 675 and 678s vulnerable or is CBOS a different critter with different TCP packet handling code?

  13. Re:Yet... by Anonymous Coward · · Score: 5, Interesting

    They have an awesome colletion of Anti-Cisco cartoons :)

    I think this one is on of the best:
    http://www.juniper.net/nettoons/03_1280.jpg

    (Just change the first number)

  14. Govermental problems? by Seydlitz · · Score: 2, Interesting

    (For Americans and others; the NHS is a country wide health service that treats everyone. It's on a WAN, called NHSnet. For that reason, any netowrk problems are very serious, as it means hospitals are almost totally unable to function.(for the record, internal IP's start with 10.1.xxx))

    Toured a local NHS facility yesterday, when they were recovering from a total internal crash that cut off all internal network traffic, as well as external traffic in and out.

    The crash was caused by a halt in network traffic(read: router failure) in which the error messages overwelmed the servers. (that was the reason I was given, at least... but I can't really belive that the servers would be that badly configured.)

    The servers, for the record, are a mixture of VMS (insert unix plug here) and NT/2000's (insert windows flame here). (There's a effort to move them over to pure Windows... goverments. bah.)

    Anyhoo, the upshot of all this was that the routers had to be restarted and the server's hard disks to be remerged...

    Guess who's routers they were? Cisco.

    This was before or shortly after the release of the warning... could the problem be a bit more serious than previously thought?

  15. Not if you're using anything less than a 72xx! by Anonymous Coward · · Score: 1, Interesting

    Cisco routers are notoriously underpowered! Install some ACLs on a busy 3600 or 2600 series router and you'll start a DOS attack on your own router!

    As this recent NetworkWorldFusion review shows, a 2651 starts to fall apart with 8 rules on only 2 T1s!

    I would definitely NOT recommend adding ACLs willy-nilly to Cisco routers. BE CAREFUL and add a couple at a time during peak traffic times to make sure the router stays up.

    And (experience talking here) be sure you're logged in on console and not telnetted into the Cisco when adding a bunch of ACLs. Your telnet session will not get priority over forwarded packets and you'll have no control over the router!

    Cisco wants you to think ACLs are only "waaafer theeen"!

  16. Amazing by grayantimatter · · Score: 3, Interesting

    I think it's amazing how so many people posting here want to assume/believe that ANY slight hiccup on ANY network ANYWHERE in the last week is a direct result of this issue.