On Tue, May 27, 2008, Valdis.Kletnieks@vt.edu wrote:
There's basically 2 classes of Cisco routers out there:
1) Ones managed by Jared and similarly clued people, who can quite rightfully yawn because the specter of "IOS rootkits" changes nothing in their actual threat model - they put stuff in place 3 years ago to mitigate "Lynn-style IOS pwnage", and it will stop this just as well. Move along, nothing to see.
2) Ones managed by unclued people. And quite frankly, if Lynn didn't wake them up 3 years ago, this isn't going to wake them up either. Move along, nothing new to see here either.
"60% of routers run by bozos who shouldn't have enable. Film at 11".
Bloody network people, always assuming their network security stops at their router. So nowthat someone's done the hard lifting to backdoor an IOS binary, and I'm assuming you all either upgrade by downloading from the cisco.com website or maintain a set of your own images somewhere, all one needs to do is insert themselves into -that- path and you're screwed. Hijacking prefixes isn't hard. That was presented at the same security conference. Cracking a UNIX/Windows management/FTP/TFTP host isn't impossible - how many large networks have their server infrastructure run by different people to their network infrastructure? Lots and lots? :) Sure, its not all fire and brimstone, but the bar -was- dropped a little, and somehow you need to make sure that the IOS thats sitting on your network management site is indeed the IOS that you put there in the first place.. Adrian