Slashdot Mirror

← Back to Stories (view on slashdot.org)

Major Flaw Found In Cisco IOS Devices

Posted by simoniker on from the uh-oh-spaghettios dept.

Joff_NZ writes "CERT has released an advisory regarding a serious flaw in all Cisco routers and switches which run IOS and process IPv4 packets (i.e. pretty much everything), which causes the device to stop processing inbound packets, and so: 'The device must be rebooted to clear the input queue on the interface, and will not reload without user intervention.' There are apparently no known exploits (yet), and Cisco have this advisory with a workaround and available fixes."

19 of 266 comments (clear)

  1. Yet... by jerw134 · · Score: 5, Insightful

    There are apparently no known exploits (yet)

    I say we start a pool on how long yet will actually be, now that CERT released the info.

    1. Re:Yet... by sleeper0 · · Score: 5, Funny

      Between this announcement and the microsoft one I know at least one of the fine readers out there has cancelled all of their appointments for the next three days and has a case of mountain dew and a copy of worms for dummies under their arm whistling happily.

    2. Re:Yet... by rf0 · · Score: 5, Funny

      I'm going to say an exploit by tommorow. End of the internet by Sat. All back to normal on Monday

      Rus

      --
      Cheap UK and US VPS
    3. Re:Yet... by Anonymous Coward · · Score: 5, Interesting

      They have an awesome colletion of Anti-Cisco cartoons :)

      I think this one is on of the best:
      http://www.juniper.net/nettoons/03_1280.jpg

      (Just change the first number)

    4. Re:Yet... by Anonymous Coward · · Score: 5, Informative

      ok folks, here's how it works. A specially crafted packet is sent to an interface on a router. This packet takes up space in the queue on the interface. Once a few of these packets fill up that queue no more traffic is able to pass thru the interface. You won't see a high utilization on the CPU, it'll just throw'em away. It's important to understand that the packet has to be directed to the interface on the router, not just merely passing through it. After the queue fills up (around 4k I'm thinking)the only way to empty it is to reload, if I'm reading correctly. From what I can tell, the large back bones got the notice a few days ago. Some lower tier players received it yesterday. And public disclosure supposed to happen tonite around 21:00 EDT or so. However, several major internet players all of a sudden performing emergency maintenance, was a bit obvious. Especially when companies known to employ lots of Juniper didn't seem to do much. Well, guess it wasn't that OBVIOUS, but...net-eng people are worse than a small town knitting group.

  2. It's days like this... by Nethead · · Score: 5, Funny

    It's days like this I'm REALLY glad that I'm a unemployyed network engineer! This looks like a very serious headache!

    --
    -- I have a private email server in my basement.
  3. No Exploits My A$$ by Anonymous Coward · · Score: 5, Interesting

    AT&T has been having problems all over the west coast the last 4 days. Ill bet even money this is why. There last 2 emails state they had no clue what was causing it and that random reboot's of routers were to be expected.

    Im not Anonymous, Just Lazy.
    Crackers`n`Soup

  4. Re:Disclosure of vulnerabilities by eskimoboy · · Score: 5, Insightful

    Sometimes, it's in the best interest of the public to have vulnerability information released directly when it is found out. It opens up the ability for hackers to create exploits before the manufacturers have a chance to find a way to stop it. Sure, releasing information on vulnerabilities for open source projects right away is usually a good idea, but that's due to the fact that with an open source project, the public has the ability to come up with a patch. In cases like these, perhaps it is best for the public to be left out until a proper solution or workaround has been developed by the vendors.

  5. At least it won't worm. by Valar · · Score: 5, Insightful

    At least it only freezes the device. If you could make it send the same packet to some of it's router buddies, then freeze, this could get real bad, real fast.

    --

    ====
    Crudely Drawn Games
  6. The ACL "fix" is not a fix by jgaynor · · Score: 5, Interesting

    Here's the reccomendation for a temporary workaround using ACls:

    Cisco recommends that all IOS devices which process IPv4 packets be configured to block traffic directed to the router from any unauthorized source with the use of Access Control Lists (ACLs). Legitimate traffic is defined as management protocols such as telnet, snmp or ssh, and configured routing protocols from explicitly allowed peers. All other traffic destined to the device should be blocked at the input interface.

    Does "A rare sequence of crafted IPv4 packets sent directly to the device" mean a sequence utilizing one of these three protocols? If so then frigging tell us! If not, this is just a vague precautionary warning that really won't stop any user inside the network from exploiting the bug.

    The TRUE details of the bug, including which protocol it uses, would help us put a nail in the coffin regarding the ACL workaround, but the Cisco bug tool isn't returning any information for the bugs they're talking about - specifically CSCea02355 and CSCdz71127.

  7. Latest news .... by Snoopy77 · · Score: 5, Funny

    While the army took time to celebrate the discover and safe return of Major Flaw it still maintained the need to continue the search for other missing top ranking officials. We spoke with a member of the search and recovery team soon after Major Flaw was discovered.

    "It is great to have found Major Flaw but we are still very worried about the others. Our job here is not finished." said Private Data.

    Colonel Panic has been spotted from time to time but the army has not yet been able to pinpoint his exact position. But the most gravest of fears are held for General Protection-Fault. Sightings of the General have been few and far between in the last few years. Some conspiracy theorists say that he is not actually missing but has disguised himself. Private Data would not confirm wether they are searching for a man of similar build to General Protection-Fault but dressed all in blue.

    --
    "She's a West Texas girl, just like me" - G.W Bush Iraqis
  8. There ARE exploits in the wild by Anonymous Coward · · Score: 5, Interesting

    The claim that there are no exploits is false.

    Below is a note I received from my ISP about 2 hours before this was topic posted:

    =-=-=-=-=-=-=-=-=-=-=

    17/07/03 01.12 - 01.38 DOS Attack on Sydney PoPs

    Incident

    A DoS attack against the AN border router resulted in that router's CPU reaching 100% and triggering the same attack on the Perth gateway router which in turn brought down the Comindico Border router

    Action

    While all of the hardware remained 'up' nothing could be authenticated and therefore all traffic through the Sydney PoP ceased.

    Resolution

    Swiftel Engineering rebooted the Perth Gateway router clearing the DoS packets and that in turn allowed the Sydney routers to rebuild the BGP4 tables thus restoring the ability to process customer traffic.

    Result

    By 1.38 pm all traffic was flowing normally.

    Future Elimination Of This Problem

    The elimination of this type of new DoS attack has just been recognised and released by Cisco (today) and the workaround and fixes are documented in:

    http://www.cisco.com/warp/public/707/cisco-sa-20 03 0717-blocked.shtml

    We are considering whether to implement the workarounds which may impact traffic such as ICQ and some games or upgrade the IOS's in all of our Cisco equipment.

    We will inform you when that decision is made.

  9. Department of Homeland Security is interested! by dekashizl · · Score: 5, Funny

    This is actually good news for Cisco, because security holes like this appear to be a prerequisite for getting a large Department of Homeland Security contract.

  10. Re:Yikes... by Grizzletooth · · Score: 5, Informative

    No, the advisory states that non-contract customers can send an email to tac@cisco.com and get access to a "free upgrade".

  11. This has been discussed...... by flirzan · · Score: 5, Interesting

    ...on NANOG most of the day today. It looks like Cisco discovered the vulnerability in their own testing, notified major backbone providers (AT&T, Qwest, Sprint, L3, etc), who then scheduled emergency maintenance, which in turn tipped off savvy network engineers all over the place, who started wondering what was up, which in turn generated enough interest that bits and pieces leaked, and I bet Cisco figured better to release the advisory now and end the speculation than to wait till tomorrow. As for the "no exploit available", I had a router with an uptime of many many moons hang for no apparent reason tonight...while working on that I found the cisco advisory in my inbox. Could be a coincidence, but it's a strange one.

    --
    Twinkies sure taste good for something that is 68% air.
  12. Will Homeland Security have kept it under wraps?? by Anonymous Coward · · Score: 5, Interesting

    What I really wonder wonder about is whether the vulnerability has been kept under wrap by the the Department of Homeland Security, just like they did with the Sendmail vulnerability of a short while ago, which was kept from the world for a couple of weeks. The US-military had at least a full week maintenance time before the rest of the world got it.

    As a non-american I found this quite disturbing, since certainly with the Sendmail vulnerability, there was a risk of this being exploited by the US-governement against foreign nations. NOw, I know I am just being paranoid, but it does freak me if this would become standard operating procedure: 1. Vulnerability discovered 2. US government given ample time to protect itself 3. US government makes use of vulnerability 4. Us gov releases it to friendly nations 5. You get notified.

  13. Just filter out packets with the evil bit by AaronW · · Score: 5, Funny

    Why not just filter out all the packets with the evil bit set? This should fix the problem.

    --
    This post is encrypted twice with ROT-13. Documenting or attempting to crack this encryption is illegal.
  14. Just got this from Internap: by flirzan · · Score: 5, Informative

    To all Internap customers:

    Cisco Systems has released to the public notification of a vulnerability
    in many versions of Cisco IOS which can create a Denial of Service on an
    affected router. The details of the advisory can be viewed at the
    following link:

    http://www.cisco.com/warp/public/707/cisco-sa-20 03 0717-blocked.shtml

    No exploits which target this vulnerability have yet been identified.

    Prior to the public notification, Cisco had contacted their major NSP
    customers including Internap to inform us of this vulnerability. Internap
    has identified IOS versions with the appropriate fix for the platforms in
    our network and scheduled upgrades to our routers. Customers will receive
    notification shortly of the window in which the routers you are homed to
    will be upgraded. Due to the severity of this vulnerability these
    upgrades are being performed as emergency maintenance.

    Customers with questions about the possible impact of this vulnerability on
    their own equipment are urged to read the notice at the link above or to
    contact Cisco directly.

    --
    Twinkies sure taste good for something that is 68% air.
  15. Yes it is by forged · · Score: 5, Insightful
    Actually, the proposed workaround works very well (it wouldn't be a workaround otherwise).

    Don't misunderstand traffic going THROUGH the router with traffic directed TO the router. You probably want to control the latter because as a good netadmin you should know that this is good practise.