Slashdot Mirror
Exploit Available for Cisco IOS Vulnerability
GNUman writes "Cisco's IOS vulnerability, posted by Slashdot and CERT, has now a published exploit available, as reported recently by CERT. While there are some some articles claiming that the Internet survived a major flaw, maybe with a publicly available exploit could script kiddies start creating havock?. jerw134 wanted to start a pool to find out when the exploit would be publicly available, here's the answer."
The patch is extremely easy to come by. Do a "sh ver" on your router, and send the output to tac@cisco.com, and ask for an updated IOS. They'll likely be back to you within an hour or so.
steve
Oh, you're not stuck, you're just unable to let go of the onion rings.
Gee, I just had to call TAC up and give them the serial number to get in (our router doesn't have a service contract). Within an hour, I had a callback from the engineer who was given my case and an e-mail in my inbox looking for the specific info needed (the version of IOS I was running and the exact name of the binary - all produced by "sh ver").
After I got him the info, it was only a few minutes before the patch link was sent to me for download. The whole thing was done before lunch today - and that's for a little piss-ant customer with no service contract and a single router.
I think that's about as simple as it needs to be, personally. There's different versions of IOS for different devices, and all sorts of supported code revisions to deal with - it's not like Windows where you have a core version and service packs/hotfixes you may or may not have applied in random combination. Typically, if you have a Cisco router and it's working you'll only want to apply the minimum possible fix to the specific version you're running. So it's a pretty darned complex upgrade matrix. I, for one, am perfectly happy to let TAC guide me through it.
-- Josh Turiel
"2. Do not eat iPod Shuffle."
If I'm reading this page correctly, the protocol type of the packet that causes the problem appears to be the PIM protocol:
/etc/protocols
grep 103
pim 103 PIM # Protocol Independent Multicast
"I drank what?" -Socrates
Today?
RR in upstate NY has bee dog-ass slow for 2 days straight now... despite the "network status" page being filled with "area down for cable maintenance/upgrades" for 3 days.
Oh look.. it says there's nothing wrong in my area.. bullshit!
No unauthorized use. Trespassers will be shot. Survivors will be shot again.
You can find the original exploit here.
Imagine your typical packet kiddie running dozens of instances of the following pseudocode on his farm of a few hundred trojaned boxes:
}
If you haven't patched already - do it now.
In this post, he said:
Writing websites in C is generally a very bad idea. It does horrible things to the security - introduces buffer overflow problems. And the speed increase, when it even exists (Java's performance is better than most people think), is not worth the extra programmer time.
In an older post, he said:
...so, apparently, he mostly uses the interpreted languages he just dissed stupidly.
The rest of the post is just stupid buzzwords:
More colors = more information = more time to download, but that O(log n) is stupid and wrong. And the other stuff is even more gibberish. This exploit has nothing to do with web applications, anyway.
Relax. This news has been going around the various vulnerability mailing lists for over a week now. Slashdot is late to the party (rightfully so).
The discoverer notified Cisco and everyone else, but held back on the exploit code until Cisco had a chance to work on it. Now that the word is out as well as the patch, don't waste time here when you should be patching your CATs (or looking for a new job).
sheesh.
I have something in common with Stephen Hawking...
You don't read a lot, do you (or don't read the correct mailing lists)? The notification regarding this exploit went out some time ago. The discoverer worked with Cisco, releasing a notification regarding the exploit and some general information regarding cause and severity.
THEY HELD BACK ON THE EXPLOIT CODE UNTIL CISCO COULD DEVISE A PATCH.
Larger customers (ISPs, etc.) were taken care of in advance of the general public notification. Independent parties were no doubt already working on their own exploit code. It's quite common to release the patch and the exploit code at the same time; in fact, some parties prefer to release 0-Day exploit code... let's just be glad these particular folks didn't.
I have something in common with Stephen Hawking...
A big middle finger to all of the idiots that don't belive in full disclosure:
Cisco IOS Exploit
You can also easily create the exploit using hping2.
Also, I haven't had to mail TAC yet for any of the routers (30, and counting) I've had to upgrade. My new code has been available throught the traditional channel (Cisco's Software Center).
People that are having to mail the TAC are doing so because they have no support contract (thus, no access to the Cisco Software Center), or because the code for their specific platform doesn't appear to be available through the Software center.
For those that would die defending it, Freedom
has a sweet taste that the protected will never know.
Heres a link to the source in b64 format, you can extract it with:
openssl base64 -d -in cisco.txt -out cisco.tgz
Happy testing!
/* * pope1 */
The following access list is specifically designed to block attack traffic. Note that the attack traffic can include spoofed source addresses. This access list should be applied to all interfaces of the device, and should include topology-specific filters. This could include filtering routing protocol traffic, management protocols, and traffic destined for the internal network. Protocol 103 is Protocol Independent Multicast (PIM), which is a commonly deployed application in multicast networks.
Interfaces with PIM enabled have not been found to be vulnerable to exploit traffic with protocol
103; PIM traffic may be permitted to those select devices.
access-list 101 deny 53 any any
access-list 101 deny 55 any any
access-list 101 deny 77 any any
access-list 101 deny 103 any any
!--- insert any other previously applied ACL entries here
!--- you must permit other protocols through to allow normal
!--- traffic -- previously defined permit lists will work
!--- or you may use the permit ip any any shown here
access-list 101 permit ip any any
= Grow a brain...
Of course, there are also freely available perl and expect scripts out there that would allow you to do the same thing.
For those that would die defending it, Freedom
has a sweet taste that the protected will never know.
You have either a bizarre definition of the phrase "extremely easy" or very little perspective on how easy it is to patch many other products.
I sent one email, and in return, got all of the IOS versions that I needed for my routers. I'd definitely say that was "extremely easy".
Maybe you mean that I can just tell Linus what kind of computer I have, and he'll send me over a tarball of 2.4.21, pre-configured with the options I'd like?
you don't have to email somebody and wait an hour to get the exploit
If you have a CCO account, then you don't have to wait an hour, you log in and pick it up. Super-mega-fabuloso-easy.
steve
Oh, you're not stuck, you're just unable to let go of the onion rings.
There are various channels from which to get the IOS. If you have a CCO account and know which version you want/need, you just log in and download it. There are also other ways of getting it, but as a "last-ditch" (or "too-lazy") method, you can email their support group directly.
steve
Oh, you're not stuck, you're just unable to let go of the onion rings.
Yes, and some people do not apply ACLs to their core networks due to the fact that cores are supposed to be extremely fast. In this case, an update can be said to be needed.
"Nature doesn't care how smart you are. You can still be wrong." - Richard Feynman
You have a Cisco 2610...
What Feature pack?
- ENTERPRISE PLUS
- ENTERPRISE PLUS IPSEC 3DES
- ENTERPRISE PLUS IPSEC 56
- ENTERPRISE/FW/IDS PLUS IPSEC 3DES
- ENTERPRISE/FW/IDS PLUS IPSEC 56
- ENTERPRISE/SNASW PLUS
- ENTERPRISE/SNASW PLUS IPSEC 3DES
- ENTERPRISE/SNASW PLUS IPSEC 56
- IP
- IP PLUS
- IP PLUS IPSEC 3DES
- IP PLUS IPSEC 56
- IP/FW/IDS
- IP/FW/IDS PLUS IPSEC 3DES
- IP/FW/IDS PLUS IPSEC 56
- IP/H323
- IP/IPX/AT/DEC
- IP/IPX/AT/DEC PLUS
- IP/IPX/AT/DEC/FW/IDS PLUS
- REMOTE ACCESS SERVER
That's just the available images for the 2610, 12.1(20)...For those that would die defending it, Freedom
has a sweet taste that the protected will never know.
The suggested ACL settings break fast switching...so ACL is not the best solution for many.
FoundNews.com - get paid to blog.,
They refer to protocol 53 (swipe), not port 53 (domain).
Yes, and some people do not apply ACLs to their core networks due to the fact that cores are supposed to be extremely fast. In this case, an update can be said to be needed.
Huh? It's cheaper to drop a packet at the process switching level than to actually forward it to the process that implements the corresponding service.
We are talking about packets targeted at the router, and filters for them are not necessarily in the forwarding path (they can be implemented there to protect the main CPU(s) from DDOS attacks, of course). For forwarded packets, you are correct that this is problematic on core routers, e.g. very few GSR linecards support more than a few dozen ACL entries per interface, some do not support any filters at all.
The suggested ACL settings break fast switching...so ACL is not the best solution for many.
I'm not sure what you are talking about. "Fast switching" is an obsolete Cisco marketing. Maybe this is an accident and you allude to the possibility that filters decrease forwarding performance. However, quite a lot Cisco routers support either wirespeed ACLs or specific ACLs for traffic directed at the router (which do not impact forwarding performance).
No, fast switching is alive and well:
s 1831/products_configuration_guide_chapter09186a008 00ca6c8.html">http://www.cisco.com/en/US/products/ sw/iosswrel/ps1831/products_configuration_guide_ch apter09186a00800ca6c8.html
o ftware/ios121/121cgcr/switch_c/xcprt1/xcdipsp.htm
t ion-20.html
http://www.cisco.com/en/US/products/sw/iosswrel/p
http://www.networkcomputing.com/902/902sp2.html
http://www.cisco.com/univercd/cc/td/doc/product/s
http://www.faqs.org/faqs/cisco-networking-faq/sec
FoundNews.com - get paid to blog.,
Anyone else gone through hell today trying to get the patch from Cisco?
ftp://user:pass@ftp.cisco.com/cisco/ios/