Exploit Available for Cisco IOS Vulnerability

GNUman writes "Cisco's IOS vulnerability, posted by Slashdot and CERT, has now a published exploit available, as reported recently by CERT. While there are some some articles claiming that the Internet survived a major flaw, maybe with a publicly available exploit could script kiddies start creating havock?. jerw134 wanted to start a pool to find out when the exploit would be publicly available, here's the answer."

Them Script Kiddies

[inertia187]

About them Script Kiddies,
the internet's old plight.
Goin' all around,
usin' hacks they didn't write.
Them Script Kiddies lurk the net,
as devious little foes.
Keep them admins well employed,
and keeps them on their toes!
When Script Kiddies learn a trick,
it makes for one tight spot.
If you ain't patched up to date,
think again, because you ought.
How to be a Script Kiddy,
logon the net ad hoc.
Google for the hack you want,
and start your own havoc.

Great...

[mfifer]

...the 'sploit is more easily available than the fix!

Anyone else gone through hell today trying to get the patch from Cisco?

Grrr... >-/

Re:Great...

[NerveGas]

The patch is extremely easy to come by. Do a "sh ver" on your router, and send the output to tac@cisco.com, and ask for an updated IOS. They'll likely be back to you within an hour or so.

steve

Re:Great...

[NerveGas]

You have either a bizarre definition of the phrase "extremely easy" or very little perspective on how easy it is to patch many other products.

I sent one email, and in return, got all of the IOS versions that I needed for my routers. I'd definitely say that was "extremely easy".

Maybe you mean that I can just tell Linus what kind of computer I have, and he'll send me over a tarball of 2.4.21, pre-configured with the options I'd like?

you don't have to email somebody and wait an hour to get the exploit

If you have a CCO account, then you don't have to wait an hour, you log in and pick it up. Super-mega-fabuloso-easy.

steve

Contact your network company

[nacturation]

If you haven't yet received notification from your NOC that they're going to be doing maintenance, you really need to impress upon them to get this fixed. In a nutshell, this flaw could allow a malicious hacker to shut down traffic to your servers.

Re:Contact your network company

[Sick+Boy]

After which they'll explain that they use Juniper equipment because it doesn't suck near as much as Cisco and you'll look like an ass.

Re:Contact your network company

[Florian+Weimer]

If you haven't yet received notification from your NOC that they're going to be doing maintenance, you really need to impress upon them to get this fixed. In a nutshell, this flaw could allow a malicious hacker to shut down traffic to your servers.

First of all, your network might be running on non-Cisco gear (yes, there are other vendors).

Second, the fact that so many NOCs have to apply emergency patches is scaring. I can understand that NOCs hesitate to install the latest release just after it has been published (some of the releases which include the fix have been available for months), but this particular bug only affects you if your router is insufficiently protected by ACLs against all kinds of malicious traffic. You really want to install such ACLs to mitigate the effect of typical DoS attacks targeted at the router itself, and if you've done your homework, bugs like the present one do not require emergency maintainance.

Re:Exploits et al.,

[_14k4]

Right, only now the webpage sucks because it's black and white.. ;)

Re:Exploits et al.,

[Burlynerd]

You're right on the money with the "maturity" comments, Jack. The way technology has been running, we have been in a constant state of trying to learn something new. We've never really had a chance to get "really good" at some of our technologies, before the next version or replacement technology arrived.

The Cisco situation is not due to bleeding edge issues though. They should have found this problem sooner.

Tell me why

[broothal]

Ok, maybe it's just me, but why is it that I have to provide Ciso with serial number, date of purchase and the name of my cat to get this fix? I mean - the fix is software, and it will only work on Ciso units. So - for crying out loud - put the patch on an FTP site and get over with it. Jumping through hoops to get the patch isn't going to speed things up.

Re:Tell me why

[jht]

Gee, I just had to call TAC up and give them the serial number to get in (our router doesn't have a service contract). Within an hour, I had a callback from the engineer who was given my case and an e-mail in my inbox looking for the specific info needed (the version of IOS I was running and the exact name of the binary - all produced by "sh ver").

After I got him the info, it was only a few minutes before the patch link was sent to me for download. The whole thing was done before lunch today - and that's for a little piss-ant customer with no service contract and a single router.

I think that's about as simple as it needs to be, personally. There's different versions of IOS for different devices, and all sorts of supported code revisions to deal with - it's not like Windows where you have a core version and service packs/hotfixes you may or may not have applied in random combination. Typically, if you have a Cisco router and it's working you'll only want to apply the minimum possible fix to the specific version you're running. So it's a pretty darned complex upgrade matrix. I, for one, am perfectly happy to let TAC guide me through it.

Go Open Source

[Papa+Legba]

Once again we see the power of open source! From anounced flaw to exploit in two days. Beat that Microshaft!..... Oh.... Wait.... This is not a good thing is it....

Whew.

[CrackerJackz]

Glad I dodged the bullet, I've got every last router patKL()*$OFD_)#@ [LINK DOWN]

Dear Slashdot,

Thanks heaps.

Regards,
Cisco Systems.

Re:Protocol Independent Multicast?

[XenoPhage]

Actually, it's 4 protocols ... 53, 55, 77, and 103.. Any one of these can kill the interface.

I've already posted a lot of information regarding this on the Nanog list.. but the "exploit" that has been release (shadowchode) isn't required to exploit this bug .. hping can do this just as easily..

Importance of shaming they who published the explo

[lanner]

Importance of shaming those who published this exploit

There was very little time to act upon the new IOS version that Cisco provided to the public. The software upgrades were available to the public on Thursday morning at 00:00. CERT made their announcement about 15 minutes later. Today, the exploit is public. That is less than 48 hours to upgrade the hundreds of thousands (if not million+) Cisco routers across the world.

This is the most important security event effecting the Internet since the root DNS server attacks some time back, and this one is potentially much more severe. I have been surprised at the lack of media attention of this issue, or how some of my technical colleges have treated it. They don't seem to understand how many Cisco routers are out there.

It needs to be shown that by making the exploit of this vulnerability public so soon, the persons who did this only did so for publicity gain at the expense of others.

They hurt others to profit themselves, and that is no more cool than slavery is. And what did they get out of it? "My dick is bigger than yours."

I just don't want this to pass over and the people who made this exploit public think that what they did was cool, or that they are going to get a lot of admiration or karma for it. If they like the Internet, which they probably do, they just did the most harmful thing to it as they could have possibly done.

Re:Where is the Exploit ?

[grokBoy]

You can find the original exploit here.

enormous ddos potential - patch right away!

[Brian+Ristuccia]

Imagine your typical packet kiddie running dozens of instances of the following pseudocode on his farm of a few hundred trojaned boxes:

while (1) {

$x = random(255);
$y = random(255);
$z = random(255);
@hops = traceroute("$x.$y.$z.1");
for $hopnum (5..@#hops) { # don't kill nearby routers
system("shadowchode", $hops[$hopnum], 255 - $hopnum);

}

}

If you haven't patched already - do it now.

Just Fix It

[vinn]

Cisco released the fix two days ago to backbone providers. Other large customers could get the fix early yesterday. If you're affected by this vulnerability and it's not fixed yet:

• You're not subscribed to the proper news channels (i.e. you're not doing your job) or
  
• You're lazy (i.e. you're not doing your job) or
  
• You're not as important as you thought (i.e. someone else isn't doing their job.)

It seems like Cisco handled this one correctly with the providers. I'm not sure how well large customers were handled, my guess is the .edu folks probably got screwed again.

Just tried it..

[nolife]

I just tried this on our routers at work, it does not appear to work. I did n tice som pkt lss but a r nn

Source for shadowcode Exploit

[pope1]

In case you want to test this on your own routers (worked against my 1005.. sadly :P)

Heres a link to the source in b64 format, you can extract it with:

openssl base64 -d -in cisco.txt -out cisco.tgz

Happy testing!

The fix...

[robpoe]

The following access list is specifically designed to block attack traffic. Note that the attack traffic can include spoofed source addresses. This access list should be applied to all interfaces of the device, and should include topology-specific filters. This could include filtering routing protocol traffic, management protocols, and traffic destined for the internal network. Protocol 103 is Protocol Independent Multicast (PIM), which is a commonly deployed application in multicast networks.

Interfaces with PIM enabled have not been found to be vulnerable to exploit traffic with protocol
103; PIM traffic may be permitted to those select devices.

access-list 101 deny 53 any any
access-list 101 deny 55 any any
access-list 101 deny 77 any any
access-list 101 deny 103 any any
!--- insert any other previously applied ACL entries here
!--- you must permit other protocols through to allow normal
!--- traffic -- previously defined permit lists will work
!--- or you may use the permit ip any any shown here
access-list 101 permit ip any any