Slashdot Mirror
Exploit Available for Cisco IOS Vulnerability
GNUman writes "Cisco's IOS vulnerability, posted by Slashdot and CERT, has now a published exploit available, as reported recently by CERT. While there are some some articles claiming that the Internet survived a major flaw, maybe with a publicly available exploit could script kiddies start creating havock?. jerw134 wanted to start a pool to find out when the exploit would be publicly available, here's the answer."
If you haven't yet received notification from your NOC that they're going to be doing maintenance, you really need to impress upon them to get this fixed. In a nutshell, this flaw could allow a malicious hacker to shut down traffic to your servers.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
Now that it's been published, and Slashdot has broadcast it nice and loudly, surely the number of script kiddies planning on making use of this is significantly increasing. Not that I'm complaining about it being known - it'll really make certain people get their behinds in gear to fix it - but I'm sure we'll be seeing how serious of an exploit this is soon.
Let's see if we get significant network outages anywhere on the interenet anytime in the next few days/weeks...
"You know your god is man-made when he hates all the same people you do."
Ok, maybe it's just me, but why is it that I have to provide Ciso with serial number, date of purchase and the name of my cat to get this fix? I mean - the fix is software, and it will only work on Ciso units. So - for crying out loud - put the patch on an FTP site and get over with it. Jumping through hoops to get the patch isn't going to speed things up.
They'll be creating something but I don't know what. Hopefully it won't resemble havoc.
Thanks,
--
Matt
I cant say that im in charge of any cisco routers. Well, I am but I luckily don't ever have to mess with them and have moved away from using them but thats another story.
However, you have to email cisco to get an update from their screw up?
?????
Ill remember this when it comes time to buy network hardware.
The ultimate network admin tool needs HELP!
Thats a bigger load of bullshhh than I've ever seen before, and thats including all of high school! Its times like these /. needs a 'retarded' moderation.
Ok, this post really bothers me. In any complex system, there are bound to be bugs. I seriously find it hard to believe that if you tackled something as difficult as networking, spent years working on it, would have a finished product that was 100% error free. The word "mature" is just a label. It is meaningless in reality. I agree with you that people should use the right tool for the job, but comparing switching out color pictures for B&W ones and translating code in to C with routing and switching is like comparing a computer that can win at tic tac toe to a computer that can't be beat at chess. The fact of the matter is, Cisco is used by millions for their networking needs. If you think you can produce a more "mature" product that miraculously has no bugs then please do so. I guarantee you will be a rich man. The unfortunate thing is, that most likely by the time your system is mature, Cisco will have a product out that makes your device obsolete.
Support a great indie game: http://www.abaddon360.com
Importance of shaming those who published this exploit
There was very little time to act upon the new IOS version that Cisco provided to the public. The software upgrades were available to the public on Thursday morning at 00:00. CERT made their announcement about 15 minutes later. Today, the exploit is public. That is less than 48 hours to upgrade the hundreds of thousands (if not million+) Cisco routers across the world.
This is the most important security event effecting the Internet since the root DNS server attacks some time back, and this one is potentially much more severe. I have been surprised at the lack of media attention of this issue, or how some of my technical colleges have treated it. They don't seem to understand how many Cisco routers are out there.
It needs to be shown that by making the exploit of this vulnerability public so soon, the persons who did this only did so for publicity gain at the expense of others.
They hurt others to profit themselves, and that is no more cool than slavery is. And what did they get out of it? "My dick is bigger than yours."
I just don't want this to pass over and the people who made this exploit public think that what they did was cool, or that they are going to get a lot of admiration or karma for it. If they like the Internet, which they probably do, they just did the most harmful thing to it as they could have possibly done.
Cisco released the fix two days ago to backbone providers. Other large customers could get the fix early yesterday. If you're affected by this vulnerability and it's not fixed yet:
It seems like Cisco handled this one correctly with the providers. I'm not sure how well large customers were handled, my guess is the .edu folks probably got screwed again.
----- obSig
You have either a bizarre definition of the phrase "extremely easy" or very little perspective on how easy it is to patch many other products.
What would you call it if they had just provided in their advisory a publically-accessible link from which to download the patch? "ultra-easy"? How about running "apt-get upgrade"? "hyper-easy"? Or having the patch automatically installed for you by Windows Update? "mega-easy"?
Obviously, I'm not saying that Cisco should adopt any of these specific methods, but patch processes involving an email exchange don't fit most people's definition of "extremely easy."
The original poster's point is quite valid -- you don't have to email somebody and wait an hour to get the exploit. It's easier to get the exploit than it is to get the fix.
Importance of shaming those who published this exploit
Why? Most ISPs are very grateful to have something to test if their countermeasures are effective.
Do you really want to upgrade all your core routers at once, and take the risk of introducing a bug which brings down your whole network? It's often better to apply some workaround and schedule an incremental update. In this case, you really want to test if your workaround is effective.
WRONG.
This is not the CatOS vulnerability, which was announced a week ago. This is a vulnerability in IOS (not CatOS), that Cisco discovered themselves (apparently a while ago, based on some of the build dates). It has been on the public lists for about 2 days now.
If you're going to mock someone, make sure you have your fact straight.
As I mentioned in your other post about this, this is *not* the CatOS patch. Cisco discovered this themselves. The discoverers did have to work with Cisco, since they were Cisco.
No one outside Cisco had seen this until a few days ago. The problem is, once Cisco announced it, there were only so many combinations that could cause the problems they were mentioning, and someone found them, and posted it to Full-Disclosure.
Without full disclosure, what % of the routers out there would be patched right now? 10? Maybe.
It sounds to me like Cisco needs to get their genius engineers together to come up with a better way to distribute IOS images - one that does not involve e-mail, perhaps!
What the people did _was_ cool. They contacted Cisco a while back. Then they released the exploit almost *2 days* after the patch was announced.
Nice try bringing slavery in to this. That's rediculous.
"most harmful thing to it they could have possibly done." Please. Even if they released it 2 seconds before the patch was available, the Internet may have had instability for a day or two while Cisco ships out CDRs to everyone so they can fix it.
To those that choose full disclosure for security - I applaud you! I really appreciate having a program available that allows me to test if my systems are vulnerable and remain vulnerable post-patching.