Cisco Flaw Opens Routers to Attack

Jack writes "Cisco is suffering from a serious flaw in its router operating system, which might allow execution of remote code: 'Cisco has warned of a new flaw in its IOS router operating system which might be used by attackers to launch denial of service attacks or take over IOS-based devices. The flaw causes to buffer overflow due to incorrect handling of user authentication credentials.'"

The Cisco Advisory

[MECC]

Here's a link to the cisco advisory
I noticed the linked article didn't have that link, and its viewable by the Internet public. Let's see how Cisco holds up to the mighty /. effect.

Re:The Cisco Advisory

[bladesjester]

You'd be amazed at the things that you'll screw up on code-wise during a crunch period when you've been up for days on end trying to meet the deadlines that the pointy-hairs have set for you.

We're still human in theory at least, so mistakes will happen and in a piece of software that's *that* big, it's really easy to miss them.

Re:The Cisco Advisory

[tweek]

Actually it depends on the need. Maybe not in the router market all the time but in other markets, yes. It's also all about cost.

I've recently turned into a HUGE Juniper fanboy recently. I was already an HP Procurve fanboy after some Cisco catalyst issues. That and price per port/performance trounces Cisco.

In our situation, we had a vpn provider running a single Cisco 3030 concentrator.A maxed out 3030 costs around 25 or 30k and can support 500 nailed down tunnels with 50MB/s of encrypted throughput.

Meanwhile two Netscreen 208s with core plus same day support cost us about 30k total.

Stats on the Netscreen? 1000 nailed down tunnels and 200MB/s of 3DES encrypted throughput.

These can also operate in an active/active setup and double the throughput (but not the tunnels).

Now the question really begs "Should Cisco have bought Netscreen instead of Altiga? In my mind yes. Netscreen's use of ASICs is what really gives them the power.

Since I've not had the experience of dealing with the Juniper routers, I don't have an equivilent model comparison. I do know though that Juniper uses the "pc-based" architecture just like Cisco in the router line. To give Cisco credit, I am pretty impressed with the horsepower boost in the 2800 line over the 2600.

I'm just waiting for Juniper to buy Foundry and be the beast that Cisco needs. That will fill out the product line QUITE nicely.

Re:The Cisco Advisory

[monkeydo]

Believe it or not, Cisco makes many products that don't run IOS.

Best Practices 101

[b0r1s]

It's been pretty standard to ACL off authentication methods from unknown or untrusted networks for some time.

If you can only auth from a known network, then an overrun in that auth process still requires access to a restricted location, which will stop 99% of attacks (which are usually automated these days).

Re:Best Practices 101

[b0r1s]

After reading advisory, this actually isn't a hole in the IOS authentication, but in the proxy authentication for FTP and Telnet.

This opens the whole somewhat (ie: it's open to an untrusted userbase by its nature), but the original point still stands as good general practices.

The Cisco IOS Firewall Authentication Proxy for FTP and/or Telnet Sessions feature in specific versions of Cisco IOS software is vulnerable to a remotely-exploitable buffer overflow condition.

Devices that do not support, or are not configured for Firewall Authentication Proxy for FTP and/or Telnet Services are not affected.

Devices configured with only Authentication Proxy for HTTP and/or HTTPS are not affected.

Re:Best Practices 101

[JPriest]

The key statement there is "and/or Telnet Services". Almost every single Cisco router I have seen is running telnet. Lots of people are still using 12.2 though.

Dupe

[Namronorman]

Dupe! Oh.... Nevermind, it seems like just yesterday a serious flaw was found in CISCO. I hope this doesn't become common place for CISCO

Re:defcon?

[earnest+murderer]

Is this the same attack that didn't exist at defcon?

No, this is the only existing issue on Cisco brand routers.

The defcon attack isn't scheduled to exist until the patch is published in February.

Is this perhaps...

[max99ted]

...some fallout from http://it.slashdot.org/article.pl?sid=05/07/29/185 0234&tid=99&tid=172&tid=123&tid=218

is this the flaw Michael Lynn tried to tell about?

[Gruturo]

Is this the flaw Cisco was trying to keep secret and that caused Michael Lynn to resign his job in order to be free to speak about?

Appeared a little over a month ago right here

Re:Latest Viruses

[ackthpt]

The latest viruses are getting pretty creepy. On the public network where I work, we recently plugged a Windows XP laptop in that had just been installed without anti-virus. There are apparently so many viruses going around on our network that within 10 minutes, the computer had 12 viruses that were picked up just through viruses that connect in remotely through ports that have not been "firewalled".

Sounds like your problem isn't the PC, Windows or your network, but your network practices. We're pretty good about stripping attachments, filtering spam and having firewalls in place, but the extra yard is taking a PC off someone's desk and making sure many people around them know just who was doing what to bring the beastie in.

I was having trouble with a connection, last December and disabled my firewall. Within 40 seconds something had already got in. The firewall went back up and I sorted the problems out with it in place.

Affected Versions

[gulfan]

Affected versions include IOS 12.2ZH, IOS 12.2ZL, IOS 12.3, IOS 12.3T, IOS 12.4 and IOS 12.4T. IOS versions that are not vulnerable are IOS XR and IOS versions 12.2 and earlier, including 12.0S. This shouldn't be a problem for those Network Administrators that created access control lists for modifications for the router, however Cisco has issued a patch.

ip auth-proxy

[ctime]

The bug effects systems running ip auth-proxy , I feel bad for anyone that has to run it. I played with it a bit while experimenting wireless security schemes and I found it to be useless (to be fair it wasn't designed for it, either)

If you are someone you know are running any of the following versions of code, please think of the baby seals and upgrade. That is all.

Devices that are running the following release trains of Cisco IOS are affected if Firewall Authentication Proxy for FTP and/or Telnet Sessions is configured and applied to an active interface.
12.2ZH and 12.2ZL based trains 12.3 based trains 12.3T based trains 12.4 based trains 12.4T based trains

sssshhhhh

[jshaped]

quiet everbody....
if nobody knows, then nothing's wrong....

Re:sssshhhhh

[jshaped]

and yet still, it is obvious you cannot see my sense of humor.

Re:sssshhhhh

[Cervantes]

quiet everbody....
if nobody knows, then nothing's wrong...

Excuse me sir, it's bad form for Cisco employees to post in this story.

Re:defcon?

[MightyMartian]

There are no flaws in Cisco's IOS. If there was, no one would be allowed to talk about it, and anyone who did would be threatened and forced to recant. Thusly, there are no Cisco vulnerabilities. The Cisco Inquisition will take care of those who actually dare to question the sanctity of the Church of Cisco, and its most holy IOS. This whole topic is clearly in violation of that most sacred tenet, and thus the Cisco Inquisition has determined that Slashdot advocates heresy. It will be duly noted and CmdrTaco will be forced to recant the very existence of this topic.

Further...

[burtdub]

A Crisco flaw has left the routers open to deep pan frying.

Re:Further...

[superpulpsicle]

I have a close friend who worked at Cisco for a while. The company had massive layoffs in 2001, followed by countless little series of layoffs in 2002, 2003. Tons of good engineers were supposedly let go. You wonder if the lack of engineering resources is beginning to catch up with them. All these years in the trenches shorthanded will leave the product more vulnerable than ever.

Re:old news?

[jd]

I think that was the IPv6 routing bug, which allowed programs to be remotely run, which Cisco admitted to shortly after.

Cisco IOS Firewall Authentication Proxy

[RaZ0r]

article text
Summary

The Cisco IOS Firewall Authentication Proxy for FTP and/or Telnet Sessions feature in specific versions of Cisco IOS software is vulnerable to a remotely-exploitable buffer overflow condition.

Devices that do not support, or are not configured for Firewall Authentication Proxy for FTP and/or Telnet Services are not affected.

Devices configured with only Authentication Proxy for HTTP and/or HTTPS are not affected.

Only devices running certain versions of Cisco IOS® are affected.

Cisco has made free software available to address this vulnerability. There are workarounds available to mitigate the effects of the vulnerability.

This means that only equipment that is configured to act as an authenticatoin proxy for FTP and/or telent are affected.

I work with cisco equpment every day and this is not a normal service to have configured. This exploit probably isn't as big of a deal as its being made out to be. Just my 2 cents...

Re:is this the flaw Michael Lynn tried to tell abo

[LarsG]

Lynn's presentation wasn't about any specific vulnerability (I think he did mention one vulnerability, which was patched some time before the presentation). It was generally thought that most Cisco vulnerabilities could only hang or reboot IOS. Lynn showed that you could inject code. Which makes vulnerabilities like this one a lot more dangerous, as an attacker can Own the router instead of just crashing it.

Re:defcon?

[commodoresloat]

CmdrTaco will be forced to recant the very existence of this topic

Yes but then the dupe will be posted, so this will start all over again.

Re:Small companies?

[hal9000(jr)]

Read the advisory.
The affected subsystem is not the firewall, but the authentication proxies for ftp and telnet. It is doubtful that those features are being used all that much.
The advisory also list a set of ACL that should suffice in most cases until a patch is issued.
If this was a problem in the firewall or ACL subsystem, it would be a bigger issue because many companies use them to place a reduced ruleset for all traffic that should be blocked in all directions like netbios, snmp, etc.

Details and Mike Lynn

[Effugas]

No. Mike's "first cut" was against the link-local IPv6 parser (a fact not disclosed publically by Mike, but by Cisco). Once in, he actually figured out how to execute arbitrary code -- something way harder than even Mike's slides describe.

He could get into pretty much any Cisco router w/ his attack, whereas this proxy attack isn't going to affect anything on the global net.

Re:Details and Mike Lynn

[monkeydo]

He could get into pretty much any Cisco router w/ his attack...

Except all the routers not running IPV6.

Re:Details and Mike Lynn

[Effugas]

Active by default.

Mike's attack was significant another front too -- getting an attack vector is one thing, actually using it is such a PITA that Jim Duncan of Cisco PSIRT (someone I know and highly respect) actually reacted with ... ahem ... "unexpectedly strong disbelief" when Mike said he could exploit the box using what he'd found.

Re:Details and Mike Lynn

[Effugas]

Routing is disabled. Doesn't mean the box doesn't parse IPv6 before trashing 'em.

As for the link-local -- the point of Mike's attack wasn't that he could take out arbitrary hosts, it was that shellcode on IOS was possible. The nasty thing is, on 100% Cisco networks (go look up Cisco Powered Network), you break the first hop, then the next, then the next, then the next...everything is link local when every hop is vulnerable.

It's a Mitzvah

[putko]

This SHOULD happen.

It's a Mitzvah that this befalls Cisco. As previously mentioned here, they have no trouble ruining the lives of those who attempt to help make a more secure world by improving their product.

A pox on their house.

It is allowed that hackers make worms that exploit Cisco hardware and disrupt the businesses of those who stupidly subsidize such misanthropic activities.

Re:Latest Viruses

[jerw134]

You obviously failed Networking 101. A hub or switch is nothing like a hardware based firewall. You don't have a clue.

Are VLANs out of style?

[Anti-Trend]

Doesn't anybody use VLANs anymore? Maybe I'm ignorant here (it's a big world and all), but why should Windows clients be allowed to talk to eachother on the network? Especially if there are VPN nodes and/or soft-spots in the network implementation? Simple VLANs and the usage of DMZ's for outward-facing servers have worked for us so far; any virus infections have been localized to a PC at a time. There's always the ol' email entry point, but that's what clamav is for, right? ;)

Thanks,

-AT

Re:Are VLANs out of style?

[Floody]

Doesn't anybody use VLANs anymore? Maybe I'm ignorant here (it's a big world and all), but why should Windows clients be allowed to talk to eachother on the network? Especially if there are VPN nodes and/or soft-spots in the network implementation? Simple VLANs and the usage of DMZ's for outward-facing servers have worked for us so far; any virus infections have been localized to a PC at a time. There's always the ol' email entry point, but that's what clamav is for, right? ;)

vlans don't inhibit broadcast or unicast traffic on the same vlan, so unless each workstation is on a separate vlan (which I can't imagine, as it wouldn't scale), vlans aren't useful for isolating workstations from each other. They are, of course, useful for isolating workstations from other network devices.

read between the lines

[timmarhy]

look at the hidden meaning here. cisco censor a security researcher, and now they have a new vunerability on their hands. get ready for an avalanche of these has angry hackers make an example of cisco.

I blame it on...

[Andy_R]

My leds are always flashn'
And it wouldn't be a bad thing
But I don't get no packets
And thats no lie

We spent the night in Cisco
At every kind of distro
From that night I kissed
Our data goodbye

Chorus:
Don't blame it on sunshine
Don't blame it on moonlight
Don't blame it on good times
Blame it on the router

Don't blame it on sunshine
Don't blame it on moonlight
Don't blame it on good times
Blame it on the router

The nasty virus bugs me
But somehow it has drugged me
Outbound ports get me
On my feet

I've changed my life completely
I've seen the data leave me
My baby just can't take
Her PCs offline

Chorus:
Don't blame it on sunshine
Don't blame it on moonlight
Don't blame it on good times
Blame it on the router

I just can't
I just can't
I just can't control my ports...