Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cisco IOS Source Code Theft Story Continues

Posted by Hemos on from the bad-news-for-cisco dept.

securitas writes "eWEEK's Steven J. Vaughan-Nichols reports that the source code for Cisco's 'main networking device operating system was stolen on Thursday' (May 13) according to the Russian company SecurityLab. SecurityLab says that criminals broke into Cisco's network and stole 800MB of source code for IOS 12.3 and IOS 12.3t, a pre-release variant. The purported culprit(s) then bragged about the feat in an IRC session and offered 2.5 MB of the code as proof. Industry analysts Dell'Oro Group says that 'Cisco owns 62 percent of the core router market.' More at the Sydney Morning Herald and Windows Network magazine." Our original coverage was here of this story.

18 of 318 comments (clear)

  1. Can you imagine... by Anonymous Coward · · Score: 5, Insightful

    ...if the entire internet was taken down? for an extended period of time? The world would fall into disarray. Although once upon a time the world functioned perfectly well without the internet. Amazing how technology makes us dependent just like junkies.

    1. Re:Can you imagine... by skasingularity · · Score: 5, Funny
      Sure there would be problems, but I think most people would opt for watching TV or going outside. Some businesses would stall, and slashdot users would probably try and hang themselves with their mice, but I think a relatively large part of the world would continue to operate.

      Just because you rely on the internet, doesn't mean the entire world does too.

    2. Re:Can you imagine... by iapetus · · Score: 5, Funny

      Personally I take offence at your narrow typecasting of Slashdot users.

      Some of us use wireless mice, and would have to resort to hanging ourselves with VGA cables.

      --
      ++ Say to Elrond "Hello.".
      Elrond says "No.". Elrond gives you some lunch.
    3. Re:Can you imagine... by banzai51 · · Score: 5, Funny

      I have stolen the entire source code for Lunix. I'm gong to distribute it and see how long before EVERY linux server is down.

  2. backdoor by sleepnmojo · · Score: 5, Funny

    They could have at least posted the code for the backdoor in all the routers.

    1. Re:backdoor by thpdg · · Score: 5, Funny

      Have you ever tried to configure any Cisco equipment? Even if you had the password, you'd give up in frustration after a few minutes. The only ones who can do it, are the ones who have a lot of experience with it. That's the real security of the plan!

      --

      -Patrick

      "They never stop thinking about new ways to harm our country and our people, and neither do we."

  3. Secure ? by cyberfunk2 · · Score: 5, Insightful

    Forgive my ignorance, but if the code is truly solid code, without buffer overruns and the like, shouldnt this theoretically not matter (just as the code for stuff like ipfw is open)?

    I realize however that Cisco code is likely more complex than the relatively simple stuff ipfw does.

    1. Re:Secure ? by flying_mushroom · · Score: 5, Insightful

      The problem is that, with 800 MB of code it's virtually impossible to be sure that there are no serious bugs somewhere.

      Sure, it might be more solid than Windows (!), but no large software project nowadays can presume to be bug-free. It's just too much code and possible scenarios to say that it all has been tested.

    2. Re:Secure ? by Anonymous Coward · · Score: 5, Interesting
      Forgive my ignorance, but if the code is truly solid code, without buffer overruns and the like, shouldnt this theoretically not matter (just as the code for stuff like ipfw is open)?
      I presume that by ipfw, you're speaking of the BSD IP firewall. In which case, yes, you're right, Cisco's IOS does a bit more in terms of advanced processing.

      Having had a look at some of the source code, I'm generally impressed. Cisco's code is solid. It's perhaps a bit more simplified than what you'll see in BSD's ipfw source, but simpler is better when you're talking about mission-critical applications. IOS is responsible for switching packets on a fair amount of heavy links; ipfw is responsible for switching packets at your average LAN.

      I don't think the IOS leak is going to lead to any new vulnerabilities. Cisco produces solid code. The only real interesting thing we may see is backdoor-style commands to IOS that the public is not aware of.

      --
      Free Naked Pics
    3. Re:Secure ? by johne_ganz · · Score: 5, Interesting
      Forgive my ignorance, but if the code is truly solid code, without buffer overruns and the like, shouldnt this theoretically not matter

      Yes, provided it's solid code. So the obvious question is: is it solid code? What makes for solid code? I'm of the opinion that it is far from 'solid' code for two main reasons.

      The history of the code base.

      It's monolithic nature.

      IOS started out on the same CPU board as Sun (and SGI) computers: The Stanford 68000 board. Remember what Sun stands for: Stanford University Network. These three companies all started from the same hardware design. Cisco took this design and the original software for running the Stanford networks (some allege they stole it) and kept adding on to it. The 68000 had no MMU, and therefore provided no protection of one process from another- any process could write to any part of memory.

      The problem is that the software still has this in its genes. While IOS will make use of modern MMU's to do some level of protection (such as marking read-only the text segment), at its core its still a "every process is fully trusted" design. Now, this does have some advantages- in the old days when the forwarding was all done on the CPU in the interrupt context this was a huge win. Saving all the state and MMU context switches could really lower performance.

      The drawbacks, however, are pretty bad IMHO. Since there's no separation of processes, any one process can bring down the system. If BGP was running under Unix, and it ran in to a problem where it would seg fault, under IOS the entire system would panic and reboot. IF it happens to catch the error, which is much less likely to happen because there's no separation of processes and what memory resources belong to that process as opposed to other processes.

      The monolithic nature of IOS also tends to breed lax programming practices. Who needs to ensure that everything is tip top when everything is self contained? There's a certain darwinian pressure that gets placed on a system when anyone can write code for it and expects the system to stay up and running like Unix. Under IOS, none of that exists. As a matter of fact, the pressure is in the opposite direction- when you write something that crashes the system- don't do that. Furthermore, the code tends to largely interact with only a few other implementations, and the one it interacts with the most is itself (cisco's talking to cisco's). Not a lot of pressure to find those odd ball corner cases and fix them... Just the kind of corner cases that are the most likely to result in exploitable bugs.

      So, are there security problems with IOS? You'd better believe it. All you have to do is peruse the BugTracker database and look for bugs that cause a crash. Things like "malformed SNMP request causes crash" are prime candidates to exploit.

  4. Suspect profile by Anonymous Coward · · Score: 5, Funny
    Here is my suspect profile:

    1. French or German
    2. Linux/open source zealot
    3. Lives in parents basement
    4. Showers monthly

  5. Rough translation of 'bragged' link... by iapetus · · Score: 5, Informative

    "As SecurityLab discovered, on the 13th of May all the source code of the CISCO IOS operating system, which is used in the majority of CISCO's network installations was stolen. The full extent of the stolen information runs to about 800MB compressed.

    According to our information, the release of fragments of the source code came about due to a break-in to the corporate network of Cisco System. Representatives of Cisco System have meanwhile made no comment on the incident.

    The information came from a certain individual under the nick of franz on darknet@EFNet IRC, where he also presented a small part of the source code (about 2.5MB) as evidence.

    Below are links to the first 100 lines of source code from the files ipv6_tcp.c and ipv6_discovery_test.c."

    Apologies for any errors - my technical Russian's a little rusty. :)

    --
    ++ Say to Elrond "Hello.".
    Elrond says "No.". Elrond gives you some lunch.
  6. Re:800MB?? by SmackCrackandPot · · Score: 5, Informative

    You've got a real-time operating system, a basic file-system, the TCP/IP and all the other protocol stacks, the SNMP/MIB support and proprietary routing algorithms. Presumably, the source code would be documented to some extent, along with SCCS archiving. All of this could easily add up to over 800 Megabytes.

  7. The one thing not mentioned by RedShoeRider · · Score: 5, Interesting
    Thus far, I find it odd no one has inquired as to the exact nature of how the hell someone got so far into the system as to be able to copy source code. That's not something any company leaves sitting in /pub. Whomever pulled this off (assuming it's not bullshit) knew something (social engineering, perhaps), for I'm sure Sisco has been hammered by attacks for years, just like any large company.

    My one thought: it's all bullshit until Cisco comes out and says they were hacked. Anyone can put together a bunch of seemingly well-written code and say that they were l33t and got in to Cisco.

    The proof is in the pudding. And all I see so far is some sugar.

    --

    Chris Knight is my hero.

  8. That's why corps should stick to dial-up.. by Anonymous Coward · · Score: 5, Funny

    ..they would have noticed then if 800 MB was being downloaded.

  9. Re:Cisco IOS built on BSD by LizardKing · · Score: 5, Interesting

    I recently finished CCNA training and asked the instructor what OS CiscoIOS was based on and I was told it's based on BSD OS. He didn't tell me which BSD though....

    It's descended from the Unix related work done at Berkeley in the early 1980's. I can't find a suitable link at the moment, but from what I remember there was some controversy about the commercialisation of the code. Much of the work was while the future Cisco founders were still employed at the university. This meant it should have belonged to the Regents, and released under a BSD license. If so, then it's ironic that the code is in the public domain, albeit under dubious circumstances.

    Chris

  10. Vulnerability by version by RicoX9 · · Score: 5, Insightful

    I think that susceptibility will depend on what source was stolen. Was it the ENTIRE source? Or was it just pieces? They (the cracking types) may discover a hole in something that exists only in the Enterprise feature set, leaving most of the exposed routers on the Internet un-compromiseable (As most companies aren't going to pony up for the most expensive feature set when all they're doing is shuffling IP packets).

    Also could find a problem in basic TCP/IP code, making every Cisco router on the planet a revolving door. I find this scenario highly unlikely, as thier base code is probably a lot more stable and reviewed than the newer, more advanced features.

  11. If it had been a microsoft leak ... by Anonymous Coward · · Score: 5, Interesting

    Well ... is it not kinda strange? A few months back when the Windows code was leaked, most of Slashdot was screaming about 65,000(i dint cook that number!) Windows bugs. Well, nothing happened really. Except an IE 5.x bug, which was patched silently before the source code leak.

    Now lets compare the REAL security issues.
    1. The number of people who were dissecting the Windows Source Code are much more than those trying to find a Cisco hole.
    2. Even without the Windows Source, we can reverse engineer large parts of the Windows Sources and identify problems. With the leak it just became easier. I dont expect too many crackers trying to find holes in Cisco's IOS.

    This simply means that the chances of finding a security hole in Cisco is much higher than in Windows. Because now that the source is out in the open, its easier. Why would they choose to look?

    1. Bringing down those routers could virtually bring down most of the internet.
    2. The entire financial world uses them! If a hole is discovered it might just be the easiest way to get into those systems.
    3. It could be easier than trying to find a Windows hole, since (as from my earlier logic) many many people have already tried without results.
    4. The damage that could be done in those 2 cases are so immense, that a comparison would be irrelevant. ... Slashdotters, cant it be just possible that this leak might be much more disastrous that the Windows leak.

    [Troll: Btw ... its funny reading that Windows article again, and going through posts that talked abt non-existant security in Windows. And how many holes did people find.]