Emergency Internet Backbone Provider Maintenance Tonight

Darrell_Kristof · January 23, 2005, 3:52am

All:

Has anyone heard about some carriers doing emergency maintenance tonight
on Internet routers due to a code vulnerability? I'm trying to find out
what vendor it involves and the details behind it. I understand it's
still under NDA, but I'm sure someone out there knows more.

Thanks,

- Darrell

Todd_Mitchell · January 23, 2005, 3:58am

Perhaps due to the vulnerabilities mentioned below.

Todd

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cisco Security Advisory: Vulnerability in Cisco IOS Embedded Call
Processing Solutions

Revision 1.0

For Public Release 2005 January 19 1500 UTC

matthew_zeier2 · January 23, 2005, 5:17am

One of my upstreams did so on the transit router we connect to.

Petri_Helenius · January 23, 2005, 8:07am

Todd Mitchell - lists wrote:

> Has anyone heard about some carriers doing emergency maintenance tonight
> on Internet routers due to a code vulnerability? I'm trying to find out
> what vendor it involves and the details behind it. I understand it's
> still under NDA, but I'm sure someone out there knows more.

Perhaps due to the vulnerabilities mentioned below.

Very unlikely.

Pete

JP_Velders · January 23, 2005, 11:06am

It would appear to be Juniper:
https://puck.nether.net/pipermail/juniper-nsp/2005-January/003489.html

Current info I have is that updated aka special images are being
pushed to resellers and support partners. And that a formal advisory
is probably planned for late january or early february. BTW, this is
Nth hand info...

As to what the problem is, well, current info is too vague...

Regards,
JP Velders
(a potential Juniper customer, who's updating his RFP security section)

Jeff_Rosowski · January 23, 2005, 1:32pm

Has anyone heard about some carriers doing emergency maintenance tonight
on Internet routers due to a code vulnerability? I'm trying to find out
what vendor it involves and the details behind it. I understand it's
still under NDA, but I'm sure someone out there knows more.

I doubt it's related, but the only thing I noticed is that sometime around 4am PST, twtelecom seems to have started blocking port 22 somewhere between 66.192.251.24 and 66.192.255.90, since I was in the middle of an ssh session when it dropped. Fortunately, I run a secondary ssh process, as well as have several alternate routes available to get around this. So I just forwarded the tcptraceroutes and other appropriate info to Cox (as this is from my cablemodem at home) since I don't want to really call twtelecom's noc at 4 in the morning.

Jim_Popovitch3 · January 23, 2005, 1:41pm

Hmmmm, is that a possible fat-fingering of a port 25 block? The 2 and 5
keys are very close on the number pad.

-Jim P.

Alexei_Roudnev · January 24, 2005, 7:49am

I do not expect, that any carriet took this as an emergency - defect is
quite harmless (DOS in the worst case, + no exploits known, + no any
interest for anyone to do it, + VoIP gateways involved only...). Even if
someone is doing maintanance, it can be noticed by VoIP network users only.

Moreover, correct me if it was not defect in Cisco express call center (call
center @ IOS) - I can not image carriers using this (it was designed for
small businesses).

Why to get simple, relatively harmless (require ugrade in next scheduled
time, usually 1 - 3 weeks) defect as a terrible threat to everyone? Even BGP
problem was much more dangerous (and no single case known since this, so it
was not emergency as well)..

Colin_Neeson · January 24, 2005, 8:09am

I agree - this would not be a defect that would require backbone maintenance
- it's a defect that would affect edge VOIP devices, hardly core
infrastructure.

Of course, it could be that there is another more serious defect out there
that major providers have been pre-warned about and are deploying
countermeasures prior to a general disclosure (ALA SNMP vulnerabilities).

We'll have to wait and see.

Wayne_Bouchard · January 24, 2005, 8:45am

Well, the point was made in my office on Friday that the upgrade was
not just snmp or sshd but that they were required to upgrade the core
operating code. This suggests to me that it's something to do with
packets or packet handling, not with services. Which makes me all the
more concerned. Of course, it will probably be something along the
lines of "When reciving a packet with such and such format with some
particular service enabled, the router might reload under specific
conditions" or some such thing that will not affect many people other
than the tier 1s who work their routers way harder than any of us
lilliputians.

Pekka_Savola · January 24, 2005, 9:40am

Well, the last time an upgrade like this was pushed through was caused by the (BGP) TCP RST spoofing "vulnerability", which was not a big issue at all especially if you had secured your borders properly against spoofing. I really hope it's bigger this time..

Colin_Neeson · January 24, 2005, 9:49am

This is just a stream of consciousness, but I perceive that most of the
"vulnerabilities" (BGP, SNMP, etc) are mostly knee-jerk reactions to what is
reported to vendors by trophy hunters out there looking for easy kills. For
sure, they are real and true, and need to be disclosed by the relevant
vendors that are affected, but is the frenzy that ensues after the
vulnerability announcements warranted?

Discuss..