Exploit Available for Cisco IOS Vulnerability

GNUman writes "Cisco's IOS vulnerability, posted by Slashdot and CERT, has now a published exploit available, as reported recently by CERT. While there are some some articles claiming that the Internet survived a major flaw, maybe with a publicly available exploit could script kiddies start creating havock?. jerw134 wanted to start a pool to find out when the exploit would be publicly available, here's the answer."

Them Script Kiddies

[inertia187]

About them Script Kiddies,
the internet's old plight.
Goin' all around,
usin' hacks they didn't write.
Them Script Kiddies lurk the net,
as devious little foes.
Keep them admins well employed,
and keeps them on their toes!
When Script Kiddies learn a trick,
it makes for one tight spot.
If you ain't patched up to date,
think again, because you ought.
How to be a Script Kiddy,
logon the net ad hoc.
Google for the hack you want,
and start your own havoc.

Great...

[mfifer]

...the 'sploit is more easily available than the fix!

Anyone else gone through hell today trying to get the patch from Cisco?

Grrr... >-/

Re:Great...

[NerveGas]

The patch is extremely easy to come by. Do a "sh ver" on your router, and send the output to tac@cisco.com, and ask for an updated IOS. They'll likely be back to you within an hour or so.

steve

Re:Great...

[silas_moeckel]

Well I havent had any issues just go login to your CCO account and grab the new IOS's actualy my local mirror updated yesterday automaticaly. As for going through TAC thats allways a PITA to say a couple hundred dollars a year.

Re:Great...

[rosewood]

I cant say that im in charge of any cisco routers. Well, I am but I luckily don't ever have to mess with them and have moved away from using them but thats another story.

However, you have to email cisco to get an update from their screw up?

?????

Ill remember this when it comes time to buy network hardware.

Re:Great...

You have either a bizarre definition of the phrase "extremely easy" or very little perspective on how easy it is to patch many other products.

What would you call it if they had just provided in their advisory a publically-accessible link from which to download the patch? "ultra-easy"? How about running "apt-get upgrade"? "hyper-easy"? Or having the patch automatically installed for you by Windows Update? "mega-easy"?

Obviously, I'm not saying that Cisco should adopt any of these specific methods, but patch processes involving an email exchange don't fit most people's definition of "extremely easy."

The original poster's point is quite valid -- you don't have to email somebody and wait an hour to get the exploit. It's easier to get the exploit than it is to get the fix.

Re:Great...

[Pii]

Most Cisco code updates do not require TAC intervention, or email swapping. This is an isolated case.

Also, I haven't had to mail TAC yet for any of the routers (30, and counting) I've had to upgrade. My new code has been available throught the traditional channel (Cisco's Software Center).

People that are having to mail the TAC are doing so because they have no support contract (thus, no access to the Cisco Software Center), or because the code for their specific platform doesn't appear to be available through the Software center.

Re:Great...

[NerveGas]

You have either a bizarre definition of the phrase "extremely easy" or very little perspective on how easy it is to patch many other products.

I sent one email, and in return, got all of the IOS versions that I needed for my routers. I'd definitely say that was "extremely easy".

Maybe you mean that I can just tell Linus what kind of computer I have, and he'll send me over a tarball of 2.4.21, pre-configured with the options I'd like?

you don't have to email somebody and wait an hour to get the exploit

If you have a CCO account, then you don't have to wait an hour, you log in and pick it up. Super-mega-fabuloso-easy.

steve

Re:Great...

[NerveGas]

There are various channels from which to get the IOS. If you have a CCO account and know which version you want/need, you just log in and download it. There are also other ways of getting it, but as a "last-ditch" (or "too-lazy") method, you can email their support group directly.

steve

Re:Great...

[Pii]

That'd be great, 'cept there are about 30 different version of code that run on any given router platform, at each release level.

You have a Cisco 2610...

What Feature pack?

• ENTERPRISE PLUS
• ENTERPRISE PLUS IPSEC 3DES
• ENTERPRISE PLUS IPSEC 56
• ENTERPRISE/FW/IDS PLUS IPSEC 3DES
• ENTERPRISE/FW/IDS PLUS IPSEC 56
• ENTERPRISE/SNASW PLUS
• ENTERPRISE/SNASW PLUS IPSEC 3DES
• ENTERPRISE/SNASW PLUS IPSEC 56
• IP
• IP PLUS
• IP PLUS IPSEC 3DES
• IP PLUS IPSEC 56
• IP/FW/IDS
• IP/FW/IDS PLUS IPSEC 3DES
• IP/FW/IDS PLUS IPSEC 56
• IP/H323
• IP/IPX/AT/DEC
• IP/IPX/AT/DEC PLUS
• IP/IPX/AT/DEC/FW/IDS PLUS
• REMOTE ACCESS SERVER

That's just the available images for the 2610, 12.1(20)...

Re:Great...

[doogles]

Anyone else gone through hell today trying to get the patch from Cisco?

ftp://user:pass@ftp.cisco.com/cisco/ios/

Contact your network company

[nacturation]

If you haven't yet received notification from your NOC that they're going to be doing maintenance, you really need to impress upon them to get this fixed. In a nutshell, this flaw could allow a malicious hacker to shut down traffic to your servers.

Re:Contact your network company

[Sick+Boy]

After which they'll explain that they use Juniper equipment because it doesn't suck near as much as Cisco and you'll look like an ass.

Re:Contact your network company

[Florian+Weimer]

If you haven't yet received notification from your NOC that they're going to be doing maintenance, you really need to impress upon them to get this fixed. In a nutshell, this flaw could allow a malicious hacker to shut down traffic to your servers.

First of all, your network might be running on non-Cisco gear (yes, there are other vendors).

Second, the fact that so many NOCs have to apply emergency patches is scaring. I can understand that NOCs hesitate to install the latest release just after it has been published (some of the releases which include the fix have been available for months), but this particular bug only affects you if your router is insufficiently protected by ACLs against all kinds of malicious traffic. You really want to install such ACLs to mitigate the effect of typical DoS attacks targeted at the router itself, and if you've done your homework, bugs like the present one do not require emergency maintainance.

Re:Contact your network company

[pyite]

Yes, and some people do not apply ACLs to their core networks due to the fact that cores are supposed to be extremely fast. In this case, an update can be said to be needed.

Re:Contact your network company

[dirvish]

The suggested ACL settings break fast switching...so ACL is not the best solution for many.

Re:Contact your network company

[Florian+Weimer]

Yes, and some people do not apply ACLs to their core networks due to the fact that cores are supposed to be extremely fast. In this case, an update can be said to be needed.

Huh? It's cheaper to drop a packet at the process switching level than to actually forward it to the process that implements the corresponding service.

We are talking about packets targeted at the router, and filters for them are not necessarily in the forwarding path (they can be implemented there to protect the main CPU(s) from DDOS attacks, of course). For forwarded packets, you are correct that this is problematic on core routers, e.g. very few GSR linecards support more than a few dozen ACL entries per interface, some do not support any filters at all.

Re:Contact your network company

[Florian+Weimer]

The suggested ACL settings break fast switching...so ACL is not the best solution for many.

I'm not sure what you are talking about. "Fast switching" is an obsolete Cisco marketing. Maybe this is an accident and you allude to the possibility that filters decrease forwarding performance. However, quite a lot Cisco routers support either wirespeed ACLs or specific ACLs for traffic directed at the router (which do not impact forwarding performance).

Re:Contact your network company

[dirvish]

No, fast switching is alive and well:

http://www.cisco.com/en/US/products/sw/iosswrel/ps 1831/products_configuration_guide_chapter09186a008 00ca6c8.html">http://www.cisco.com/en/US/products/ sw/iosswrel/ps1831/products_configuration_guide_ch apter09186a00800ca6c8.html

http://www.networkcomputing.com/902/902sp2.html

http://www.cisco.com/univercd/cc/td/doc/product/so ftware/ios121/121cgcr/switch_c/xcprt1/xcdipsp.htm

http://www.faqs.org/faqs/cisco-networking-faq/sect ion-20.html

Re:Contact your network company

[Artifex]

After which they'll explain that they use Juniper equipment because it doesn't suck near as much as Cisco and you'll look like an ass

They may use Juniper routers, but if your contract with them includes their maintenance of CPE they provided for you, and the CPE is Cisco, you're still screwed, aren't you?

Re:Exploits et al.,

[_14k4]

Right, only now the webpage sucks because it's black and white.. ;)

Re:Exploits et al.,

[Fastfwd]

I won't brag about the $10,000 bonus check I received from hitting that benchmark...

Too late. Now how are we supposed to believe the rest of your story? :P

Re:Exploits et al.,

[Burlynerd]

You're right on the money with the "maturity" comments, Jack. The way technology has been running, we have been in a constant state of trying to learn something new. We've never really had a chance to get "really good" at some of our technologies, before the next version or replacement technology arrived.

The Cisco situation is not due to bleeding edge issues though. They should have found this problem sooner.

Surely

[jpnews]

Surely you meant to say Sisqo?

Re:Exploits et al.,

[gabriel-dialupusa]

It's also a shame we have to pat ourselves on the back a lot on slashdot. And as long as you're not bragging about $10k bonuses, make sure to not tell us how you didn't spend it on the EFF and FSF. ;-)

Tell me why

[broothal]

Ok, maybe it's just me, but why is it that I have to provide Ciso with serial number, date of purchase and the name of my cat to get this fix? I mean - the fix is software, and it will only work on Ciso units. So - for crying out loud - put the patch on an FTP site and get over with it. Jumping through hoops to get the patch isn't going to speed things up.

Re:Tell me why

[jht]

Gee, I just had to call TAC up and give them the serial number to get in (our router doesn't have a service contract). Within an hour, I had a callback from the engineer who was given my case and an e-mail in my inbox looking for the specific info needed (the version of IOS I was running and the exact name of the binary - all produced by "sh ver").

After I got him the info, it was only a few minutes before the patch link was sent to me for download. The whole thing was done before lunch today - and that's for a little piss-ant customer with no service contract and a single router.

I think that's about as simple as it needs to be, personally. There's different versions of IOS for different devices, and all sorts of supported code revisions to deal with - it's not like Windows where you have a core version and service packs/hotfixes you may or may not have applied in random combination. Typically, if you have a Cisco router and it's working you'll only want to apply the minimum possible fix to the specific version you're running. So it's a pretty darned complex upgrade matrix. I, for one, am perfectly happy to let TAC guide me through it.

Re:Tell me why

[Penguinshit]

It seems to me that it's Cisco's way of preventing even worse problems by someone fat-fingering the upgrade themselves. It's a little bit slower, but in the end you're assured that you get exactly what you need for your systems. I find that extremely conscientious of Cisco.

"Creating" havock...

[MattRog]

They'll be creating something but I don't know what. Hopefully it won't resemble havoc.

Re:Exploits et al.,

[aliens]

What kind of graphics were these? They should have been already optimized to allow for quick loading.

Unless you're talking about high quality TIF's B&W vs. Color should not be making a difference in your load times.

Go Open Source

[Papa+Legba]

Once again we see the power of open source! From anounced flaw to exploit in two days. Beat that Microshaft!..... Oh.... Wait.... This is not a good thing is it....

Re:Exploits et al.,

[Vishal]

Black and White graphics load on an average Olog(n) faster than color ones? Mel Brooks gave you that formula?

tried it... works quite well

I've already compiled this and tested against an internal router, fills up the input queue quite nicely. Requires libnet.h

-orbit0r

Whew.

[CrackerJackz]

Glad I dodged the bullet, I've got every last router patKL()*$OFD_)#@ [LINK DOWN]

Re:Exploits et al.,

[jeffmeden]

Thats a bigger load of bullshhh than I've ever seen before, and thats including all of high school! Its times like these /. needs a 'retarded' moderation.

Dear Slashdot,

Thanks heaps.

Regards,
Cisco Systems.

Protocol Independent Multicast?

[jkc120]

If I'm reading this page correctly, the protocol type of the packet that causes the problem appears to be the PIM protocol:

grep 103 /etc/protocols
pim 103 PIM # Protocol Independent Multicast

Re:Protocol Independent Multicast?

[XenoPhage]

Actually, it's 4 protocols ... 53, 55, 77, and 103.. Any one of these can kill the interface.

I've already posted a lot of information regarding this on the Nanog list.. but the "exploit" that has been release (shadowchode) isn't required to exploit this bug .. hping can do this just as easily..

Re:Exploits et al.,

[brkello]

Ok, this post really bothers me. In any complex system, there are bound to be bugs. I seriously find it hard to believe that if you tackled something as difficult as networking, spent years working on it, would have a finished product that was 100% error free. The word "mature" is just a label. It is meaningless in reality. I agree with you that people should use the right tool for the job, but comparing switching out color pictures for B&W ones and translating code in to C with routing and switching is like comparing a computer that can win at tic tac toe to a computer that can't be beat at chess. The fact of the matter is, Cisco is used by millions for their networking needs. If you think you can produce a more "mature" product that miraculously has no bugs then please do so. I guarantee you will be a rich man. The unfortunate thing is, that most likely by the time your system is mature, Cisco will have a product out that makes your device obsolete.

Re:hmm, and suddenly today roadrunner is dog-slow.

[Elminst]

Today?
RR in upstate NY has bee dog-ass slow for 2 days straight now... despite the "network status" page being filled with "area down for cable maintenance/upgrades" for 3 days.
Oh look.. it says there's nothing wrong in my area.. bullshit!

Importance of shaming they who published the explo

[lanner]

Importance of shaming those who published this exploit

There was very little time to act upon the new IOS version that Cisco provided to the public. The software upgrades were available to the public on Thursday morning at 00:00. CERT made their announcement about 15 minutes later. Today, the exploit is public. That is less than 48 hours to upgrade the hundreds of thousands (if not million+) Cisco routers across the world.

This is the most important security event effecting the Internet since the root DNS server attacks some time back, and this one is potentially much more severe. I have been surprised at the lack of media attention of this issue, or how some of my technical colleges have treated it. They don't seem to understand how many Cisco routers are out there.

It needs to be shown that by making the exploit of this vulnerability public so soon, the persons who did this only did so for publicity gain at the expense of others.

They hurt others to profit themselves, and that is no more cool than slavery is. And what did they get out of it? "My dick is bigger than yours."

I just don't want this to pass over and the people who made this exploit public think that what they did was cool, or that they are going to get a lot of admiration or karma for it. If they like the Internet, which they probably do, they just did the most harmful thing to it as they could have possibly done.

Re:Where is the Exploit ?

[grokBoy]

You can find the original exploit here.

enormous ddos potential - patch right away!

[Brian+Ristuccia]

Imagine your typical packet kiddie running dozens of instances of the following pseudocode on his farm of a few hundred trojaned boxes:

while (1) {

$x = random(255);
$y = random(255);
$z = random(255);
@hops = traceroute("$x.$y.$z.1");
for $hopnum (5..@#hops) { # don't kill nearby routers
system("shadowchode", $hops[$hopnum], 255 - $hopnum);

}

}

If you haven't patched already - do it now.

Re:Exploits et al.,

[slamb]

Umm, apparently some moderators don't realize this is a troll. The things he is talking about aren't even remotely relevant to this exploit, which is at a much lower level. And it's not even consistent:

In this post, he said:

Other simple techniques like removing all interpreted languages (java, Visual Basic, c# etc.) and replacing them with low level compiled code (C, of course) has generated speed increases upwards of 25% and also increase the security of the site as a side effect.

Writing websites in C is generally a very bad idea. It does horrible things to the security - introduces buffer overflow problems. And the speed increase, when it even exists (Java's performance is better than most people think), is not worth the extra programmer time.

In an older post, he said:

Lets face it, all one has to do is take a quick look at the demand for certain skill sets on the net to get a pretty good feel for what's relevant today and I'm not sure c++ is anywhere on that radar screen. Most of my work as of late has been all Java and c#, with some legacy C programming done (on low level systems only of course, nobody would pay someone by the hour to have app level work done in C these days)

...so, apparently, he mostly uses the interpreted languages he just dissed stupidly.

The rest of the post is just stupid buzzwords:

For instance I was able to reduce the load time of a very well known and heavily traveled Fortune 500 website by moving all the graphics to black and white only, as they load on an average of Olog(n) faster than color graphics (where n is the number of pixels in the color graphic) thusly improving their UHCRF (unique hit customer retention factor) ratio by 35%!! I won't brag about the $10,000 bonus check I received from hitting that benchmark... heh.

More colors = more information = more time to download, but that O(log n) is stupid and wrong. And the other stuff is even more gibberish. This exploit has nothing to do with web applications, anyway.

Just Fix It

[vinn]

Cisco released the fix two days ago to backbone providers. Other large customers could get the fix early yesterday. If you're affected by this vulnerability and it's not fixed yet:

• You're not subscribed to the proper news channels (i.e. you're not doing your job) or
  
• You're lazy (i.e. you're not doing your job) or
  
• You're not as important as you thought (i.e. someone else isn't doing their job.)

It seems like Cisco handled this one correctly with the providers. I'm not sure how well large customers were handled, my guess is the .edu folks probably got screwed again.

Re:Just Fix It

[davew]

I'm really, truly trying not to troll here, but this attitude pisses me off.

I work for an ISP. We have about 40-odd routers of various sizes. Six months ago we began upgrading their IOSes to handle IPv6. Last Wednesday we finished. We weren't pissing about; we were picking builds, checking to make sure they supported the features we needed, checking for critical known bugs, deploying them, finding bugs, sometimes scaling back. Some of these problems didn't reveal themselves for a week or two after deployment.

Pretty much none of them were due to IPv6, they're just changes in behaviour that you get when jumping from one release to another. It happens. You upgrade with care.

And because I haven't pressed the button to start and finish this process inside of two days (and instead spent the two days planning the job and trying to divine safe ACLs to apply to tide us over until we push that button) you're telling me I'm not doing my job.

A colleague keeps wondering why we use these expensive Ciscos and Junipers when Linux would technically fulfil a lot of what we want to do. He's right, but for one thing - typical server uptimes and reliability aren't good enough for the stuff that routers do. Even Linux, which is pretty damn good for uptime. A 5 minute reboot of a web server is annoying, but a 5 minute reboot of a router will get customers on the phone. An hour's outage of a web server is trouble; an hour's outage of a router is broken SLAs.

Please, don't assume that a large network is a small one scaled up. There are a million reasons why that's not the case.

Dave

Just tried it..

[nolife]

I just tried this on our routers at work, it does not appear to work. I did n tice som pkt lss but a r nn

Is this a problem of feature inflation?

[CraigV]

I had the impression that routing was a fairly straight-forward task and that 100% reliable software should be available for the routers. Has Cisco added frills to such an extent that the basic routing is compromised? Is this current problem associated with unnecessary features?

updates

[CaffeinatedMouse]

Any good suggestions on scripting the upgrades? What happens if you have over a few hundred routers? Life sucks I guess.

Re:updates

[Pii]

If your enterprise is such that you have a few hundred routers, then I'd certainly hope that you'd have ponied up for Cisco Works, which would then allow you to push out the upgrades in an automated manner.

Of course, there are also freely available perl and expect scripts out there that would allow you to do the same thing.

That reminds me of "don't do drugs" camp

[192939495969798999]

Back in middle school, where they told us all, "here's exactly what drug x looks like, what it does,and how to get it & use it... but please don't use it. That would be bad!"
4 years later... dang! Why are all the students on crack? :) aieee!

Re:Importance of shaming they who published the ex

[Florian+Weimer]

Importance of shaming those who published this exploit

Why? Most ISPs are very grateful to have something to test if their countermeasures are effective.

Do you really want to upgrade all your core routers at once, and take the risk of introducing a bug which brings down your whole network? It's often better to apply some workaround and schedule an incremental update. In this case, you really want to test if your workaround is effective.

Here is the exploit the article is talking about

[saint10]

A big middle finger to all of the idiots that don't belive in full disclosure:

Cisco IOS Exploit

You can also easily create the exploit using hping2.

Source for shadowcode Exploit

[pope1]

In case you want to test this on your own routers (worked against my 1005.. sadly :P)

Heres a link to the source in b64 format, you can extract it with:

openssl base64 -d -in cisco.txt -out cisco.tgz

Happy testing!

Re:MOD PARENT DOWN

[gclef]

WRONG.

This is not the CatOS vulnerability, which was announced a week ago. This is a vulnerability in IOS (not CatOS), that Cisco discovered themselves (apparently a while ago, based on some of the build dates). It has been on the public lists for about 2 days now.

If you're going to mock someone, make sure you have your fact straight.

Wanna check your routers?

[zdzichu]

Here the exploit: http://www.securitylab.ru/_tools/shadowchode.tar.t ar
It's .tar.gz file, incorrectly named.

The fix...

[robpoe]

The following access list is specifically designed to block attack traffic. Note that the attack traffic can include spoofed source addresses. This access list should be applied to all interfaces of the device, and should include topology-specific filters. This could include filtering routing protocol traffic, management protocols, and traffic destined for the internal network. Protocol 103 is Protocol Independent Multicast (PIM), which is a commonly deployed application in multicast networks.

Interfaces with PIM enabled have not been found to be vulnerable to exploit traffic with protocol
103; PIM traffic may be permitted to those select devices.

access-list 101 deny 53 any any
access-list 101 deny 55 any any
access-list 101 deny 77 any any
access-list 101 deny 103 any any
!--- insert any other previously applied ACL entries here
!--- you must permit other protocols through to allow normal
!--- traffic -- previously defined permit lists will work
!--- or you may use the permit ip any any shown here
access-list 101 permit ip any any

Re:Importance of shaming they who published the ex

[gclef]

As I mentioned in your other post about this, this is *not* the CatOS patch. Cisco discovered this themselves. The discoverers did have to work with Cisco, since they were Cisco.

No one outside Cisco had seen this until a few days ago. The problem is, once Cisco announced it, there were only so many combinations that could cause the problems they were mentioning, and someone found them, and posted it to Full-Disclosure.

Re:Importance of shaming they who published the ex

[realdpk]

Without full disclosure, what % of the routers out there would be patched right now? 10? Maybe.

It sounds to me like Cisco needs to get their genius engineers together to come up with a better way to distribute IOS images - one that does not involve e-mail, perhaps!

What the people did _was_ cool. They contacted Cisco a while back. Then they released the exploit almost *2 days* after the patch was announced.

Nice try bringing slavery in to this. That's rediculous.

"most harmful thing to it they could have possibly done." Please. Even if they released it 2 seconds before the patch was available, the Internet may have had instability for a day or two while Cisco ships out CDRs to everyone so they can fix it.

To those that choose full disclosure for security - I applaud you! I really appreciate having a program available that allows me to test if my systems are vulnerable and remain vulnerable post-patching.

Just how long has Cisco known about this?

[riaasucks]

If you look at the release dates of some of the code that is not vulnerable to this attack, it goes back to early June. To me, it looks like this was identified almost two months ago. The question then is: Was this suddenly announced once a planned mile-marker in IOS revisions had been met....or once they suspected the exploit was in the wild?

Re:The code

[njchick]

Why does the author put "(void)" before every fprintf()? Can it be some kind of hidden signature?