Slashdot Mirror
Cisco Flaw Opens Routers to Attack
Jack writes "Cisco is suffering from a serious flaw in its router operating system, which might allow execution of remote code: 'Cisco has warned of a new flaw in its IOS router operating system which might be used by attackers to launch denial of service attacks or take over IOS-based devices. The flaw causes to buffer overflow due to incorrect handling of user authentication credentials.'"
Is this the same attack that didn't exist at defcon?
Here's a link to the cisco advisory
I noticed the linked article didn't have that link, and its viewable by the Internet public. Let's see how Cisco holds up to the mighty
"We are all geniuses when we dream"
- E.M. Cioran
comment!
It's been pretty standard to ACL off authentication methods from unknown or untrusted networks for some time.
If you can only auth from a known network, then an overrun in that auth process still requires access to a restricted location, which will stop 99% of attacks (which are usually automated these days).
Mooniacs for iOS and Android
The latest viruses are getting pretty creepy. On the public network where I work, we recently plugged a Windows XP laptop in that had just been installed without anti-virus. There are apparently so many viruses going around on our network that within 10 minutes, the computer had 12 viruses that were picked up just through viruses that connect in remotely through ports that have not been "firewalled". This explains why I use Solaris or Linux for my desktop system.
No Sigs!
Dupe! Oh.... Nevermind, it seems like just yesterday a serious flaw was found in CISCO. I hope this doesn't become common place for CISCO
$fortune
Tomorrow has been canceled due to lack of interest.
...some fallout from http://it.slashdot.org/article.pl?sid=05/07/29/185 0234&tid=99&tid=172&tid=123&tid=218
Please stop APK.. you're only hurting yourself.
Is this the flaw Cisco was trying to keep secret and that caused Michael Lynn to resign his job in order to be free to speak about?
Appeared a little over a month ago right here
Vacuum cleaners suck. Kings rule.
Does this mainly just impact smaller companies? I'm not sure if major corporations use routers with the firewall feature set, rather a true firewall instead. If that's the case, there shouldn't be huge consequences for this. I doubt small companies that would use the firewall feature set are hacker targets as much as the larger corps are.
i think i remeber reading about the guy that broke this at a confrence a few months back...
This will help them hold up to the mighty /. effect (let's give them a break, no unnecessary burdens)
Advisory
Affected versions include IOS 12.2ZH, IOS 12.2ZL, IOS 12.3, IOS 12.3T, IOS 12.4 and IOS 12.4T. IOS versions that are not vulnerable are IOS XR and IOS versions 12.2 and earlier, including 12.0S. This shouldn't be a problem for those Network Administrators that created access control lists for modifications for the router, however Cisco has issued a patch.
If you are someone you know are running any of the following versions of code, please think of the baby seals and upgrade. That is all.
Devices that are running the following release trains of Cisco IOS are affected if Firewall Authentication Proxy for FTP and/or Telnet Sessions is configured and applied to an active interface.
12.2ZH and 12.2ZL based trains 12.3 based trains 12.3T based trains 12.4 based trains 12.4T based trains
Wouldn't it be interesting if a router company (not naming names here) used a flaw in its router software/firmware to justify forced software/firmware upgrades instituted remotely by said router company? And wouldn't it also be interesting if a particular government or governments co-opted that forced patching process to secretly attach surveillance capabilities to various routers?
quiet everbody....
if nobody knows, then nothing's wrong....
A Crisco flaw has left the routers open to deep pan frying.
And so, if you have an IOS object, it might be a good idea to read the advisory, that is, if your network is still up.
---- Teach Peace. It's Cheaper Than War.
article text
Summary
The Cisco IOS Firewall Authentication Proxy for FTP and/or Telnet Sessions feature in specific versions of Cisco IOS software is vulnerable to a remotely-exploitable buffer overflow condition.
Devices that do not support, or are not configured for Firewall Authentication Proxy for FTP and/or Telnet Services are not affected.
Devices configured with only Authentication Proxy for HTTP and/or HTTPS are not affected.
Only devices running certain versions of Cisco IOS® are affected.
Cisco has made free software available to address this vulnerability. There are workarounds available to mitigate the effects of the vulnerability.
This means that only equipment that is configured to act as an authenticatoin proxy for FTP and/or telent are affected.
I work with cisco equpment every day and this is not a normal service to have configured. This exploit probably isn't as big of a deal as its being made out to be. Just my 2 cents...
- Think for yourself, question authority.-
Lynn's presentation wasn't about any specific vulnerability (I think he did mention one vulnerability, which was patched some time before the presentation). It was generally thought that most Cisco vulnerabilities could only hang or reboot IOS. Lynn showed that you could inject code. Which makes vulnerabilities like this one a lot more dangerous, as an attacker can Own the router instead of just crashing it.
If J.K.R wrote Windows: Puteulanus fenestra mortalis!
Cisco's latest manifesto, like all the ones that preceded it, is a consummate anthology of disastrously bad writing teeming with misquotations and inaccuracies, an odyssey of anecdotes that are occasionally entertaining, but certainly not informative. Cisco has been trying for some time to convince people that it's okay for it to indulge its every whim and lust without regard for anyone else or for society as a whole. Don't believe its hype! Cisco has just been offering that line as a means to treat traditional values as if they were flippant, unsavory crimes. Okay, then, let's move onto the really good part of this letter, the part in which I get to tell you that we must understand that Cisco's legatees compress Cisco's jibes into brief, highly reductive, definitive-sounding phrases, easily memorized and easily expressed. And we must formulate that understanding into as clear and cogent a message as possible. Make no mistake about it, the question that's on everyone's mind these days is, "Why doesn't Cisco try doing something constructive for once in its history?" In classic sophist fashion, I ask another question in reply: How can something that claims to be so educated and so open-minded dare to undermine the basic values of work, responsibility, and family? While I don't know the answer to that particular question, I do know that Cisco's opinions always follow the same pattern. It puts the desired twist on the actual facts, ignores inconvenient facts, and invents as many new "facts" as necessary to convince us that divine ichor flows through its veins.
If Cisco were paying attention -- which it would seem it is not, as I've already gone over this -- it'd see that it maliciously defames and damagingly misrepresents everyone and everything around it. There's a word for that: libel. It is easy to see faults in others. But it takes perseverance to overcome the obstacles that people like Cisco establish. I don't have time to go into this in as much detail as I should, but the point at which you discover that Cisco's grievances celebrate deception, diversion, and fashion is not only a moment of disenchantment. It is a moment of resolve, a determination that its older expostulations were mawkish enough. Its latest ones are really beyond the pale. At no time in the past did the most effrontive trolls I've ever seen shamble through the streets of cities, demanding rights they imagine some supernatural power has bestowed upon them. If I said that every featherless biped, regardless of intelligence, personal achievement, moral character, sense of responsibility, or sanity, should be given the power to force Cisco's moral code on the rest of us, I'd be a liar. But I'd be being utterly honest if I said that if Fate desired that it make a correct application of what it had read about revanchism, it would have to indicate title and page number, since the hideous organization would otherwise never in all its existence find the correct place. But since Fate does not do this, its coadjutors get so hypnotized by its simplistic "good guys and bad guys" approach to history that they do no
No, it is not. The Lynn/Cisco flaw had to do with IPv6, and this (From RTFA = Cisco Security Advisory link not the BS link provided in the parent post) has no such dependancy.
;-)
Yes... I have seen the slides, and it opened up my mind. I saw the slides (old song... Ace of Base)
pffft! I'm not concerned. Call me when they pwn my router... or maybe pwntz0r it...
No. Mike's "first cut" was against the link-local IPv6 parser (a fact not disclosed publically by Mike, but by Cisco). Once in, he actually figured out how to execute arbitrary code -- something way harder than even Mike's slides describe.
He could get into pretty much any Cisco router w/ his attack, whereas this proxy attack isn't going to affect anything on the global net.
I can't believe this article is getting this level of attention. After reading the advisory on Cisco.com (BTW, not linked to the article) I agree it's a serious flaw in IOS/FW, but there's probably less than 50 sites in the whole world using this feature.
Additionally, the referenced article on IT Observer is the editorial equivalent of a steaming pile of dog crap.
"Symantec has raised the vulnerability threat level and advised to disable firewall and authentication until their IOS is patched."
Not only is the paraphrasing blatently ignorant of _Cisco's_ mitigation advice, they're making reference to Symantec.
This SHOULD happen.
It's a Mitzvah that this befalls Cisco. As previously mentioned here, they have no trouble ruining the lives of those who attempt to help make a more secure world by improving their product.
A pox on their house.
It is allowed that hackers make worms that exploit Cisco hardware and disrupt the businesses of those who stupidly subsidize such misanthropic activities.
http://www.thebricktestament.com/the_law/when_to_
I've been running a Cisco-free network for years.
My Bay Networks router has NEVER failed, nor been compromised. It does everything I want it to do and then some. Paid for long ago. Just keeps running.
There are LOTS of alternatives to Cisco. People just need to think and look. Funny, it will probably also cost less, and you won't have to deal with the obnoxious, arrogant, know-it-all Cisco field people, either.
What I'd like to know is who Cisco is going to sue over this bug... ;-)
Oh well, what the hell...
Geezo, that piece must come from an incredibly bad Psychology text book. I'll pray for the poor students that have to suffer through those classes...
Oh well, what the hell...
What, you thought they were angels?
http://malfeasance.50megs.com/
Oh, Pancho!
The higher the technology, the sharper that two-edged sword.
Cisco isn't suffering from this flaw, IT administrators and end users are.
Shhhhhhhhh - - be vewy vewy quiet. I'm hunting wouters....
"As for the future, your task is not to foresee it, but to enable it." - Antoine de Saint-Exupery
Thanks,
-AT
Working in a DevOps shop is like playing in a band made up entirely of keytarists.
What do you consider a true firewall?
I mean, I'v never seen or heard that term.
From my understanding a firewall is ANY procedure that directs (ie allows/disallows) and detects traffic on a network.
Do you mean a 'hardware' (cisco's) as opposed to 'software' ONLY?
If so, cisco's (is all FIRMWARE), as in SOFT-WARE, ie. embeded in hardware permanently (unless flashed by user).
Or am I missing something here.
I don't meen to start a pissing contest or anything.. it is just that there is sooo much to learn and confusion out there.. that when I see a term I am not familiar with, I investigate :)
I will gladly loose all of life's battles.. in order to win the war..
Theology is like being in a dark room, looking for a black cat that isn't there and shouting "I found it!"
Science is like being in a dark universe, looking for a black hole that isn't there and shouting "I found it!".
lol ;)
I will gladly loose all of life's battles.. in order to win the war..
Cisco Issues Fixes for Vulnerable Web Routershttp://www.eweek.com/article2/0,1895,185649 7,00.asp/
Seeing as it the patch was issued yesterday, or even the day before.
look at the hidden meaning here. cisco censor a security researcher, and now they have a new vunerability on their hands. get ready for an avalanche of these has angry hackers make an example of cisco.
If you mod me down, I will become more powerful than you can imagine....
actually he showed that you could get root shell. this is why Cisco tried so hard to stop him. this was very very major. the presentation is available in the free (from Bush) world.
What a pity that Think Geek stopped selling those "I am Enabled" shirts. Sounds like the market for those is about to increase... ;-)
Since a vulnerability exists that lets you run remote code, why not make use of that vulnerability to patch itself? It's almost elegant if you think about it... a problem that becomes the solution to end itself. Under the right circumstances, this isn't an impossible thing to do.
When I'm up against a serious bug, remote code execution for instance, I write a test case to consistently reproduce it. I do a full analysis on the affected code and any dependencies. Before I fix the problem, I know everything about it. I might be wrong, but I think that Cisco probably does this too.
I'm trying to say is that Cisco probably builds usable exploits before firmware updates. You need some form of an exploit to test if the fix actually worked. The professional software companies that I've come across all require test cases for bug fixes. I can't imagine that Cisco is any different.
Even if I'm wrong about their software development processes, they could still do it if they wanted to. It is very possible with the right vulnerability. I could see a company run by software engineers pulling it off.
Wait, never mind. This is a horrible idea. You'd be giving script kiddies code to attack the holes of slow adopters. Eek. Scratch this one. At least the idea sounds cool.
My leds are always flashn'
And it wouldn't be a bad thing
But I don't get no packets
And thats no lie
We spent the night in Cisco
At every kind of distro
From that night I kissed
Our data goodbye
Chorus:
Don't blame it on sunshine
Don't blame it on moonlight
Don't blame it on good times
Blame it on the router
Don't blame it on sunshine
Don't blame it on moonlight
Don't blame it on good times
Blame it on the router
The nasty virus bugs me
But somehow it has drugged me
Outbound ports get me
On my feet
I've changed my life completely
I've seen the data leave me
My baby just can't take
Her PCs offline
Chorus:
Don't blame it on sunshine
Don't blame it on moonlight
Don't blame it on good times
Blame it on the router
I just can't
I just can't
I just can't control my ports...
A pizza of radius z and thickness a has a volume of pi z z a
Symantec has raised the vulnerability threat level and advised to disable firewall and authentication until their IOS is patched."
Sure, I'll get right on disabling my firewall so the world can take over the even more insecure [unfortunate] 95% Windows network at my work.
My lame blog.
I gotta calls'm as I sees'm.