Re: Cisco IOS Exploit Cover Up
One thing that bugs me, though, is the quote that is credited to Lynn: [snip] "I feel I had to do what's right for the country and the national infrastructure," he said. "It has been confirmed that bad people are working on this (compromising IOS). The right thing to do here is to make sure that everyone knows that it's vulnerable." [snip] http://www.securityfocus.com/news/11259 Lynn's statement would tend to make one believe that this is yet another example of a vulnerability that is awaiting an exploit, not one that has yet to be discovered -- a sort of Sword of Damocles, if you will... - ferg -- Brett Frankenberger <rbf@rbfnet.com> wrote: On Thu, Jul 28, 2005 at 07:03:31AM -0700, Eric Rescorla wrote: As nearly as I can tell from reports (I wasn't there), he (1) talked about a general way to exploit a buffer overflow to cause arbitrary code execution (this would apply to buffer overflows generally, but would be completely useless if you didn't know of a buffer overflow to exploit), and (2) demonstrated his technique using a previosuly known buffer overflow vulnerability which Cisco has already patched. So Cisco is correct in saying that he didn't identifiy any new vulnerabilities, and Cisco is also correct in saying that the vulnerability he used in his presentation to demonstrate his technique has been patched. However, the same technique will be useful on the next buffer overflow vulnerability to be discovered. -- Brett
Lynn's statement would tend to make one believe that this is yet another example of a vulnerability that is awaiting an exploit, not one that has yet to be discovered -- a sort of Sword of Damocles, if you will...
I think he's just pointing out that the risk assessments of many network operators are way off. Some postings to this list certainly suggest that. Too many people seem to have forgotten the work done by Phenoelit. Maybe their exploits leave something to be desired, but, as the saying goes, attacks only get better. In other words, it's not about a single vulnerability. It's about a widespread belief in the invincibility of IOS. And, to be honest, I'm scared how many people subscribe to that religion. Such irrationality puts networks at risk, far more than any single vulnerability could.
I think he's just pointing out that the risk assessments of many network operators are way off.<<
I think there is also a LOT concern about all the unpatched routers that remain unpatched simply because the admins don't feel like spending a week running the cisco gauntlet to get patches when you don't have a support contract with cisco. Its like cisco doesn't want you to patch or they would make it easy. Geo.
I think there is also a LOT concern about all the unpatched routers that remain unpatched simply because the admins don't feel like spending a week running the cisco gauntlet to get patches when you don't have a support contract with cisco. Its like cisco doesn't want you to patch or they would make it easy.
could they be unpatched because no one has sent out a notice saying "versions before X have known vulnerabilities. upgrade now to one of the following: ...?" randy
On Fri, 29 Jul 2005, Randy Bush wrote:
could they be unpatched because no one has sent out a notice saying "versions before X have known vulnerabilities. upgrade now to one of the following: ...?"
It's interesting...yes, I do make fun of my Windows brethren about their security problems, but the fact is they have it pretty easy since you know when MS security patches are coming out and you know when you'll have to patch your servers. But Cisco doesn't seem to make it that easy to keep a large environment of their devices up to date. Some better tools from them would be good - even for those of us who do have support contracts. -- John A. Kilpatrick john@hypergeek.net Email| http://www.hypergeek.net/ john-page@hypergeek.net Text pages| ICQ: 19147504 remember: no obstacles/only challenges
I spoke with people with Lynn in Vegas and confirmed the following, if anyone is watching the AP wire or Forbes you'll see that Cisco, et al. and Lynn have settled the suit. http://www.forbes.com/business/feeds/ap/2005/07/28/ap2163964.html
I spoke with people with Lynn in Vegas and confirmed the following, if anyone is watching the AP wire or Forbes you'll see that Cisco, et al. and Lynn have settled the suit.
i missed the part where we, the likely actual injured parties, learn to what we are vulnerable and how to protect ourselves. randy
On Jul 28, 2005, at 8:40 PM, Randy Bush wrote:
I spoke with people with Lynn in Vegas and confirmed the following, if anyone is watching the AP wire or Forbes you'll see that Cisco, et al. and Lynn have settled the suit.
i missed the part where we, the likely actual injured parties, learn to what we are vulnerable and how to protect ourselves.
I would direct you to your account manager at Cisco. ;)
On Fri, 29 Jul 2005, Randy Bush wrote:
I think there is also a LOT concern about all the unpatched routers that remain unpatched simply because the admins don't feel like spending a week running the cisco gauntlet to get patches when you don't have a support contract with cisco. Its like cisco doesn't want you to patch or they would make it easy.
could they be unpatched because no one has sent out a notice saying "versions before X have known vulnerabilities. upgrade now to one of the following: ...?"
or... cause new IOS won't run on them.
On Fri, Jul 29, 2005 at 01:01:42AM +0000, Christopher L. Morrow wrote:
could they be unpatched because no one has sent out a notice saying "versions before X have known vulnerabilities. upgrade now to one of the following: ...?"
or... cause new IOS won't run on them.
Indeed - Cisco's hardware, especially the older, smaller boxes, tended to be really solid once you got them running. I was just pondering a few minutes ago on how many 2500's I configured & installed in 1996 & 1997 are still running today, on code that's no longer supported by Cisco, and which are incapable of taking enough flash to load a newer image. -John
--- John Forrister <john@segfault.com> wrote:
Indeed - Cisco's hardware, especially the older, smaller boxes, tended to be really solid once you got them running. I was just pondering a few minutes ago on how many 2500's I configured & installed in 1996 & 1997 are still running today, on code that's no longer supported by Cisco, and which are incapable of taking enough flash to load a newer image.
As a definite example, A client of mine has a 1601 sitting on the end of a T1 running 11.3... They're not interested in spending any money on an upgrade, as the box is doing exactly what they want: running RIP internally, and taking Ethernet-in and Serial-out. -David __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
On 7/29/05, David Barak <thegameiam@yahoo.com> wrote:
--- John Forrister <john@segfault.com> wrote:
Indeed - Cisco's hardware, especially the older, smaller boxes, tended to be really solid once you got them running. I was just pondering a few minutes ago on how many 2500's I configured & installed in 1996 & 1997 are still running today, on code that's no longer supported by Cisco, and which are incapable of taking enough flash to load a newer image.
As a definite example, A client of mine has a 1601 sitting on the end of a T1 running 11.3... They're not interested in spending any money on an upgrade, as the box is doing exactly what they want: running RIP internally, and taking Ethernet-in and Serial-out.
As a counter-point, many thousands of routers were needlessly upgraded because of Y2K, edge to core. Its not about reality, its about perception. -Scott
-David
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
And quite honestly, we can probably be pretty safe in assuming they will not be running IPv6 (current exploit) or SNMP (older exploits) or BGP (other exploits) or SSH (even other exploits) on that box. :) (the 1601 or the 2500's) But, in the advisory that Cisco put out, it did mention free software upgrades were available even to non-contract customers. They simply had to originate from a call to TAC about it. Doesn't seem too bad. Not everyone has to worry about these things. Place and time. Scott -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of David Barak Sent: Friday, July 29, 2005 2:52 PM To: nanog@merit.edu Subject: Re: Cisco IOS Exploit Cover Up --- John Forrister <john@segfault.com> wrote:
Indeed - Cisco's hardware, especially the older, smaller boxes, tended to be really solid once you got them running. I was just pondering a few minutes ago on how many 2500's I configured & installed in 1996 & 1997 are still running today, on code that's no longer supported by Cisco, and which are incapable of taking enough flash to load a newer image.
As a definite example, A client of mine has a 1601 sitting on the end of a T1 running 11.3... They're not interested in spending any money on an upgrade, as the box is doing exactly what they want: running RIP internally, and taking Ethernet-in and Serial-out. -David __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
--- Scott Morris <swm@emanon.com> wrote:
And quite honestly, we can probably be pretty safe in assuming they will not be running IPv6 (current exploit) or SNMP (older exploits) or BGP (other exploits) or SSH (even other exploits) on that box. :) (the 1601 or the 2500's)
Let's see - RIP, Telnet, and SNMP are the only services listening on the box, and those are ACLed off at the serial interface. I'd LOVE to run SSH, but my image is not kind, nor is the size of the flash...
Not everyone has to worry about these things. Place and time.
Agreed - I just wanted to give a concrete example of this stuff in the wild. David Barak Need Geek Rock? Try The Franchise: http://www.listentothefranchise.com ____________________________________________________ Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs
Scott Morris wrote:
And quite honestly, we can probably be pretty safe in assuming they will not be running IPv6 (current exploit) or SNMP (older exploits) or BGP (other exploits) or SSH (even other exploits) on that box. :) (the 1601 or the 2500's)
If a worm writer wanted to cause chaos, they wouldn't target 2500s, but 7200s, 7600s, GSRs, etc. The way I see it, all that's needed is two major exploits, one known by Cisco, one not. Exploit #1 will be made public. Cisco will released fixed code. Good service providers will upgrade. The upgraded code version will be the one targeted by the second, unknown, exploit. A two-part worm can infect Windows boxen via any common method, and then use them to try the exploit against routers. A windows box can find routers to attack easily enough by doing traceroutes to various sites. Then, the windows boxen can try a limited set of exploit variants on each router. Not all routers will be affected, but some will. As for what the worm could do - well, it could report home to the worm creators that "Hey, you 0wn X number of routers", or it could do something fun like erasing configs and locking out console ports. ;-) Honestly, I've been expecting something like that to happen for years now. <shrug>
Once upon a time, Janet Sullivan <ciscogeek@bgp4.net> said:
If a worm writer wanted to cause chaos, they wouldn't target 2500s, but 7200s, 7600s, GSRs, etc.
Right. And if they wanted to cause chaos on computers, they'd ignore business desktops and home computers and target large server farms. -- Chris Adams <cmadams@hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
On Fri, 29 Jul 2005 17:26:45 CDT, Chris Adams said:
Once upon a time, Janet Sullivan <ciscogeek@bgp4.net> said:
If a worm writer wanted to cause chaos, they wouldn't target 2500s, but 7200s, 7600s, GSRs, etc.
Right. And if they wanted to cause chaos on computers, they'd ignore business desktops and home computers and target large server farms.
How many home computers did Mafiaboy DDoS?
On 30/07/05, Janet Sullivan <ciscogeek@bgp4.net> wrote:
If a worm writer wanted to cause chaos, they wouldn't target 2500s, but 7200s, 7600s, GSRs, etc.
That's like saying "nobody will write windows trojans to infect tiny PCs, they'll go after big fat *nix servers with rootkits" Something as simple as a default enable password :) I wonder how many routers out there have open telnet access and enable set to "cisco" or "password123" :) -- Suresh Ramasubramanian (ops.lists@gmail.com)
participants (15)
-
Chris Adams
-
Christopher L. Morrow
-
David Barak
-
Fergie (Paul Ferguson)
-
Florian Weimer
-
Geo.
-
James Baldwin
-
Janet Sullivan
-
John A. Kilpatrick
-
John Forrister
-
Randy Bush
-
Scott Morris
-
Scott Whyte
-
Suresh Ramasubramanian
-
Valdis.Kletnieks@vt.edu