Cisco Announces Holes In PIX Firewall

← Back to Stories (view on slashdot.org)

Cisco Announces Holes In PIX Firewall

Posted by simoniker on Wednesday December 17, 2003 @01:28PM from the net-also-full-of-holes dept.

iiioxx writes "Cisco Systems announced on December 15, 2003 that new security holes have been found in the PIX firewall IOS. The vulnerabilities are in SNMP and VPNC functionality, and both allow for DOS attacks against an affected firewall. Vulnerable IOS versions are 6.3.1, 6.2.2 and earlier, 6.1.4 and earlier. 5.x.x and earlier. There are a couple of workarounds for the SNMP vulnerability, but the only way to correct the VPNC problem is to upgrade the IOS."

8 of 23 comments (clear)

Min score:

Reason:

Sort:

Just in time for the holidays... by stefanlasiewski · 2003-12-17 13:34 · Score: 4, Funny

Just in time for winter break, when some crackers have loads of free time.

Um, Merry Christmas you poor netadmins...

--
"Can of worms? The can is open... the worms are everywhere."
Wormhole by Alphanos · 2003-12-17 13:36 · Score: 2, Funny

Joke of the day: Commander Sisko has discovered the wormhole:)!

--
Alphanos
Umm... its not IOS by LWolenczak · 2003-12-17 14:47 · Score: 4, Insightful

IOS is what is run on routers. IOS == Internetwork Operating System. PIX OS is completely different. Infact, Cisco has been spending lots of time trying to make PIX OS to look like IOS.
1. Re:Umm... its not IOS by iiioxx · 2003-12-17 16:48 · Score: 2, Informative
  
  IOS is what is run on routers. IOS == Internetwork Operating System. PIX OS is completely different. Infact, Cisco has been spending lots of time trying to make PIX OS to look like IOS.
  
  All pedantry aside, among those in the business, "IOS" is usually considered a generic term, meaning "the software that runs on a piece of Cisco hardware". Rarely, if ever, do I hear the specific terms "PIX OS" or "CatOS" bandied about. The only other common usage is simply "software." As in, "what software is on that box?"
  
  So yes, the "Cisco University definition" of IOS is router-specific. But in the common usage it just means, "the software on that expensive blue boxy thing." However, feel free to nitpick to your heart's content. Just be sure to upgrade the software on your frickin' PIX.
2. Re:Umm... its not IOS by Maradine · 2003-12-18 01:05 · Score: 2, Informative
  
  I'm curious what side of the business you're on. I've never heard a CCIE refer to a Cisco OS as anything other than its name.
  
  I think what makes things confusing for some people is the fact that many of the hardware types, especially Cats, can run multiple OSs. Hell, in the 6500 series, you can have the chassis running CatOS, its Sups running two different IOSs, and an SVC-FWM-1 in a blade bay running PIXOS (which, for the record, is named 'Finesse'). That's why things get lumped.
  
  The boys in my local Cisco office are all nomenclature geeks, so that might explain why everyone in this region is anal about names. Point being, to someone who spends a reasonable portion of each day inside other people's Cisco gear, saying 'IOS' to me means 'IOS'.
  
  --
  trustedworlds.net - gaming, security, and the gunk that lives in between
3. Re:Umm... its not IOS by iiioxx · 2003-12-18 03:23 · Score: 4, Interesting
  
  I'm curious what side of the business you're on. I've never heard a CCIE refer to a Cisco OS as anything other than its name.
  
  I spent about 5 years working for a Cisco VAR, which means I spent a great deal of time talking to Cisco SE's and of course, TAC engineers. I've heard more than a couple of CCIE's refer to IOS in a generic context.
  
  Now, I'm a sys/netadmin for a company with around 130 location across the US (and a boatload of Cisco gear). I and my cohorts likewise throw the term "IOS" around quite liberally.
  
  Hell, in the 6500 series, you can have the chassis running CatOS, its Sups running two different IOSs...
  
  Actually, the "chassis" doesn't run anything, and the Sups run CatOS (just do a 'show module' on your Cat to see for yourself). But I think you are making the point of a Sup running CatOS and the MSFC running IOS, thus having multiple OS's in one box/blade.
  
  In that situation though, they are more conjoined twins than a singular entity. In fact, in our hardware naming system, the MSFC has a totally different designator than the Supervisor or chassis. So I wouldn't say "upgrade the IOS on that Cat". I'd say, "upgrade the IOS on XX03RM02" or "upgrade the IOS on XX03SW01". The designator makes it clear as to which software I am referring. XX03 is a site code, SW is a switch or Sup (thus CatOS) and RM is a router module or MSFC (thus IOS). Our hardware management database keeps track of the fact that XX03RM02 is conjoined with XX03SW01 and they are in the chassis with asset tag XYZ123.
  
  The boys in my local Cisco office are all nomenclature geeks, so that might explain why everyone in this region is anal about names.
  
  That would explain it.
Hey... by jazman_777 · 2003-12-17 17:55 · Score: 3, Insightful

When they say "holes in the firewall" it sounds like functionality. How about "defects" or "bugs"? Really, most firewalls have holes.

--
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
WRONG!! by wizzy403 · 2003-12-18 02:27 · Score: 3, Informative

RTFA, you idiot! The security issue applies to both the blade and the standalone PIX. Mod the parent down!