One thing that bugs me, though, is the quote that is
credited to Lynn:
[snip]
"I feel I had to do what's right for the country and the national infrastructure," he said. "It has been confirmed that bad people are working on this (compromising IOS). The right thing to do here is to make sure that everyone knows that it's vulnerable."
Lynn's statement would tend to make one believe that this is
yet another example of a vulnerability that is awaiting an
exploit, not one that has yet to be discovered -- a sort of
Sword of Damocles, if you will...
Lynn's statement would tend to make one believe that this is
yet another example of a vulnerability that is awaiting an
exploit, not one that has yet to be discovered -- a sort of
Sword of Damocles, if you will...
I think he's just pointing out that the risk assessments of many
network operators are way off. Some postings to this list certainly
suggest that. Too many people seem to have forgotten the work done by
Phenoelit. Maybe their exploits leave something to be desired, but,
as the saying goes, attacks only get better.
In other words, it's not about a single vulnerability. It's about a
widespread belief in the invincibility of IOS. And, to be honest, I'm
scared how many people subscribe to that religion. Such irrationality
puts networks at risk, far more than any single vulnerability could.
I think he's just pointing out that the risk assessments of many
network operators are way off.<<
I think there is also a LOT concern about all the unpatched routers that
remain unpatched simply because the admins don't feel like spending a week
running the cisco gauntlet to get patches when you don't have a support
contract with cisco. Its like cisco doesn't want you to patch or they would
make it easy.
I think there is also a LOT concern about all the unpatched routers that
remain unpatched simply because the admins don't feel like spending a week
running the cisco gauntlet to get patches when you don't have a support
contract with cisco. Its like cisco doesn't want you to patch or they would
make it easy.
could they be unpatched because no one has sent out a notice saying
"versions before X have known vulnerabilities. upgrade now to one
of the following: ...?"
It's interesting...yes, I do make fun of my Windows brethren about their
security problems, but the fact is they have it pretty easy since you know
when MS security patches are coming out and you know when you'll have to
patch your servers. But Cisco doesn't seem to make it that easy to keep a
large environment of their devices up to date. Some better tools from
them would be good - even for those of us who do have support contracts.
I spoke with people with Lynn in Vegas and confirmed the following, if anyone is watching the AP wire or Forbes you'll see that Cisco, et al. and Lynn have settled the suit.
I spoke with people with Lynn in Vegas and confirmed the following,
if anyone is watching the AP wire or Forbes you'll see that Cisco, et
al. and Lynn have settled the suit.
i missed the part where we, the likely actual injured parties, learn
to what we are vulnerable and how to protect ourselves.
Indeed - Cisco's hardware, especially the older, smaller boxes, tended
to be really solid once you got them running. I was just pondering a
few minutes ago on how many 2500's I configured & installed in 1996 & 1997
are still running today, on code that's no longer supported by
Cisco, and which are incapable of taking enough flash to load a newer image.
As a definite example, A client of mine has a 1601
sitting on the end of a T1 running 11.3... They're
not interested in spending any money on an upgrade, as
the box is doing exactly what they want: running RIP
internally, and taking Ethernet-in and Serial-out.
> Indeed - Cisco's hardware, especially the older,
> smaller boxes, tended
> to be really solid once you got them running. I was
> just pondering a
> few minutes ago on how many 2500's I configured &
> installed in 1996 & 1997
> are still running today, on code that's no longer
> supported by
> Cisco, and which are incapable of taking enough
> flash to load a newer image.
As a definite example, A client of mine has a 1601
sitting on the end of a T1 running 11.3... They're
not interested in spending any money on an upgrade, as
the box is doing exactly what they want: running RIP
internally, and taking Ethernet-in and Serial-out.
As a counter-point, many thousands of routers were needlessly upgraded
because of Y2K, edge to core. Its not about reality, its about
perception.
And quite honestly, we can probably be pretty safe in assuming they will not
be running IPv6 (current exploit) or SNMP (older exploits) or BGP (other
exploits) or SSH (even other exploits) on that box. (the 1601 or the
2500's)
But, in the advisory that Cisco put out, it did mention free software
upgrades were available even to non-contract customers. They simply had to
originate from a call to TAC about it. Doesn't seem too bad.
Not everyone has to worry about these things. Place and time.
And quite honestly, we can probably be pretty safe
in assuming they will not
be running IPv6 (current exploit) or SNMP (older
exploits) or BGP (other
exploits) or SSH (even other exploits) on that box. (the 1601 or the
2500's)
Let's see - RIP, Telnet, and SNMP are the only
services listening on the box, and those are ACLed off
at the serial interface. I'd LOVE to run SSH, but my
image is not kind, nor is the size of the flash...
Not everyone has to worry about these things. Place
and time.
Agreed - I just wanted to give a concrete example of
this stuff in the wild.
And quite honestly, we can probably be pretty safe in assuming they will not
be running IPv6 (current exploit) or SNMP (older exploits) or BGP (other
exploits) or SSH (even other exploits) on that box. (the 1601 or the
2500's)
If a worm writer wanted to cause chaos, they wouldn't target 2500s, but 7200s, 7600s, GSRs, etc.
The way I see it, all that's needed is two major exploits, one known by Cisco, one not.
Exploit #1 will be made public. Cisco will released fixed code. Good service providers will upgrade.
The upgraded code version will be the one targeted by the second, unknown, exploit.
A two-part worm can infect Windows boxen via any common method, and then use them to try the exploit against routers. A windows box can find routers to attack easily enough by doing traceroutes to various sites. Then, the windows boxen can try a limited set of exploit variants on each router. Not all routers will be affected, but some will.
As for what the worm could do - well, it could report home to the worm creators that "Hey, you 0wn X number of routers", or it could do something fun like erasing configs and locking out console ports.
Honestly, I've been expecting something like that to happen for years now. <shrug>
That's like saying "nobody will write windows trojans to infect tiny
PCs, they'll go after big fat *nix servers with rootkits"
Something as simple as a default enable password I wonder how many
routers out there have open telnet access and enable set to "cisco" or
"password123"
(the 1601 or the
(the 1601 or the