Cisco Announces Holes In PIX Firewall

← Back to Stories (view on slashdot.org)

Cisco Announces Holes In PIX Firewall

Posted by simoniker on Wednesday December 17, 2003 @01:28PM from the net-also-full-of-holes dept.

iiioxx writes "Cisco Systems announced on December 15, 2003 that new security holes have been found in the PIX firewall IOS. The vulnerabilities are in SNMP and VPNC functionality, and both allow for DOS attacks against an affected firewall. Vulnerable IOS versions are 6.3.1, 6.2.2 and earlier, 6.1.4 and earlier. 5.x.x and earlier. There are a couple of workarounds for the SNMP vulnerability, but the only way to correct the VPNC problem is to upgrade the IOS."

23 comments

Min score:

Reason:

Sort:

Just in time for the holidays... by stefanlasiewski · 2003-12-17 13:34 · Score: 4, Funny

Just in time for winter break, when some crackers have loads of free time.

Um, Merry Christmas you poor netadmins...

--
"Can of worms? The can is open... the worms are everywhere."
1. Re:Just in time for the holidays... by Anonymous Coward · 2003-12-17 20:25 · Score: 0
  
  Yeah, seriously. You're totally right, which is why I'm up right now at 12am PST fighting some idiot cracker.
  
  Go to bed so I can too!!!!
Wormhole by Alphanos · 2003-12-17 13:36 · Score: 2, Funny

Joke of the day: Commander Sisko has discovered the wormhole:)!

--
Alphanos
Umm... its not IOS by LWolenczak · 2003-12-17 14:47 · Score: 4, Insightful

IOS is what is run on routers. IOS == Internetwork Operating System. PIX OS is completely different. Infact, Cisco has been spending lots of time trying to make PIX OS to look like IOS.
1. Re:Umm... its not IOS by iiioxx · 2003-12-17 16:48 · Score: 2, Informative
  
  IOS is what is run on routers. IOS == Internetwork Operating System. PIX OS is completely different. Infact, Cisco has been spending lots of time trying to make PIX OS to look like IOS.
  
  All pedantry aside, among those in the business, "IOS" is usually considered a generic term, meaning "the software that runs on a piece of Cisco hardware". Rarely, if ever, do I hear the specific terms "PIX OS" or "CatOS" bandied about. The only other common usage is simply "software." As in, "what software is on that box?"
  
  So yes, the "Cisco University definition" of IOS is router-specific. But in the common usage it just means, "the software on that expensive blue boxy thing." However, feel free to nitpick to your heart's content. Just be sure to upgrade the software on your frickin' PIX.
2. Re:Umm... its not IOS by LWolenczak · 2003-12-17 21:04 · Score: 1
  
  But... Pixes are GREEN.... and a PERTY GREEN at that!
3. Re:Umm... its not IOS by Guanix · 2003-12-17 22:23 · Score: 1
  
  So you would say that the Cisco 677 also runs IOS? ;-)
4. Re:Umm... its not IOS by Maradine · 2003-12-18 01:05 · Score: 2, Informative
  
  I'm curious what side of the business you're on. I've never heard a CCIE refer to a Cisco OS as anything other than its name.
  
  I think what makes things confusing for some people is the fact that many of the hardware types, especially Cats, can run multiple OSs. Hell, in the 6500 series, you can have the chassis running CatOS, its Sups running two different IOSs, and an SVC-FWM-1 in a blade bay running PIXOS (which, for the record, is named 'Finesse'). That's why things get lumped.
  
  The boys in my local Cisco office are all nomenclature geeks, so that might explain why everyone in this region is anal about names. Point being, to someone who spends a reasonable portion of each day inside other people's Cisco gear, saying 'IOS' to me means 'IOS'.
  
  --
  trustedworlds.net - gaming, security, and the gunk that lives in between
5. Re:Umm... its not IOS by iiioxx · 2003-12-18 03:23 · Score: 4, Interesting
  
  I'm curious what side of the business you're on. I've never heard a CCIE refer to a Cisco OS as anything other than its name.
  
  I spent about 5 years working for a Cisco VAR, which means I spent a great deal of time talking to Cisco SE's and of course, TAC engineers. I've heard more than a couple of CCIE's refer to IOS in a generic context.
  
  Now, I'm a sys/netadmin for a company with around 130 location across the US (and a boatload of Cisco gear). I and my cohorts likewise throw the term "IOS" around quite liberally.
  
  Hell, in the 6500 series, you can have the chassis running CatOS, its Sups running two different IOSs...
  
  Actually, the "chassis" doesn't run anything, and the Sups run CatOS (just do a 'show module' on your Cat to see for yourself). But I think you are making the point of a Sup running CatOS and the MSFC running IOS, thus having multiple OS's in one box/blade.
  
  In that situation though, they are more conjoined twins than a singular entity. In fact, in our hardware naming system, the MSFC has a totally different designator than the Supervisor or chassis. So I wouldn't say "upgrade the IOS on that Cat". I'd say, "upgrade the IOS on XX03RM02" or "upgrade the IOS on XX03SW01". The designator makes it clear as to which software I am referring. XX03 is a site code, SW is a switch or Sup (thus CatOS) and RM is a router module or MSFC (thus IOS). Our hardware management database keeps track of the fact that XX03RM02 is conjoined with XX03SW01 and they are in the chassis with asset tag XYZ123.
  
  The boys in my local Cisco office are all nomenclature geeks, so that might explain why everyone in this region is anal about names.
  
  That would explain it.
6. Re:Umm... its not IOS by Guido+von+Guido · 2003-12-18 03:28 · Score: 1
  
  Eh, we're reasonably specific about these things. IOS is used as a general term, but when you're talking about a specific device you usually use the more specific term. I mean, no one says "We have to upgrade the IOS on the pixes," although they might say "We have to upgrade the IOS on everything in the data center."
  You'd get a funny look if you said you upgraded something to IOS 6.3.3, wouldn't you?
7. Re:Umm... its not IOS by Maradine · 2003-12-18 03:51 · Score: 1
  
  Point taken on the Sups. Forgot about the MSFC.
  
  --
  trustedworlds.net - gaming, security, and the gunk that lives in between
8. Re:Umm... its not IOS by iiioxx · 2003-12-18 04:40 · Score: 1
  
  You'd get a funny look if you said you upgraded something to IOS 6.3.3, wouldn't you?
  
  Maybe. Depends on the context. If someone told me they upgraded a PIX to IOS 6.3, I wouldn't think anything of it. Likewise, if they told me they upgraded a Catalyst to IOS 5.5. I would know what they meant. If they said they upgraded their Catalyst to IOS 12.2, I would also know what they meant. I'm pretty sure that's why Cisco uses the numbering scheme they use.
9. Re:Umm... its not IOS by theNetFreak · 2003-12-18 16:14 · Score: 1
  
  Well I am a CCIE and I would never refer to a Cisco OS generically as "IOS"... It is incorrect to do so and implies something that may not be true.
  For example, the 6500 series can run CatOS on the supervisor by itself, CatOS on the Sup & IOS on the MSFC in "hybrid" mode, or "native" IOS running on both. If you simply referred to it as "IOS" no one would have any idea what you are talking about.
  If nothing else, the highly crippled PIX OS does not deserve to be called "IOS". Cisco should port IOS (and the firewall feature set) to the x86 and put the nail in the PIX OS (aka "Finesse") coffin.
10. Re:Umm... its not IOS by myg · 2003-12-18 18:50 · Score: 1
  
  Internally IOS (yes, the IOS that runs on the routers) is ported to x86 (and SPARC). Thats what they do development & testing on.
  The real issue would probably be porting over all the drivers (and the stuff in LES/HES).
  I don't know much of anything about PIX OS though. Didn't they acquire that from somewhere or is it home grown?
11. Re:Umm... its not IOS by littlej · 2003-12-22 17:13 · Score: 1
  
  The PIX actually runs an OS called Finesse (no not the shampoo). PIX was actually a security company that Cisco aquired a while ago which made firewalls.
12. Re:Umm... its not IOS by LWolenczak · 2003-12-23 08:23 · Score: 1
  
  Thank you for the long forgotten factoid.
Hey... by jazman_777 · 2003-12-17 17:55 · Score: 3, Insightful

When they say "holes in the firewall" it sounds like functionality. How about "defects" or "bugs"? Really, most firewalls have holes.

--
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
1. Re:Hey... by pe1chl · 2003-12-17 21:37 · Score: 1
  
  Other than that, the bugs in this advisory do not seem to qualify as "holes".
Not the PIX you are thinking of by Anonymous Coward · 2003-12-18 02:04 · Score: 0, Interesting

This advisory only covers the PIX that operates as a blade in the Catalyst 6500 series switches. The regular PIX is unaffected.

Why someone would want to integrate their firewall into their internal switch is beyond me anyway.
1. Re:Not the PIX you are thinking of by theNetFreak · 2003-12-18 16:27 · Score: 1
  
  Why someone would want to integrate their firewall into their internal switch is beyond me anyway.
  Yes, it seems it is beyond you... :-)
  #1: Who says this has to be your only firewall?
  #2: In large networks it might be desirable to shield the servers from the global userbase (Hint: Not all attacks come from the outside)
WRONG!! by wizzy403 · 2003-12-18 02:27 · Score: 3, Informative

RTFA, you idiot! The security issue applies to both the blade and the standalone PIX. Mod the parent down!