[ISN] Software bug hits Cisco

From: mea culpa (jerichot_private)
Date: Fri Oct 16 1998 - 12:28:17 PDT

  • Next message: mea culpa: "[ISN] Microsoft Security Bulletin (MS98-015) (Untrusted Scripted Paste IE 4.01)"

      This message is in MIME format.  The first part should be readable text,
      while the remaining parts are likely unreadable without MIME-aware tools.
      Send mail to mimet_private for more info.
    Content-Type: TEXT/PLAIN; CHARSET=us-ascii
    Content-ID: <Pine.SUN.3.96.981016132732.20965Jt_private>
    Forwarded From: darek milewski <darekmt_private>
    Software bug hits Cisco
    By Charles Cooper and Michael Fitzgerald, ZDNet News
    October 14, 1998 6:31 PM PT
    A software error has been uncovered that compromises the security of
    certain products made by Cisco Systems Inc. 
    The bug -- which affects the company's networking software -- allows
    unauthenticated users to penetrate logins for routers and other Cisco IOS
    (Internetworking Operating System) devices. That, in turn, can open the
    door for hackers to read information entered by prior users of the devices
    -- including passwords. 
    However, Cisco (Nasdaq:CSCO) says the danger is limited: The only
    information likely to get exposed would be at the prompt of the IOS
    device, and any data that gets forwarded would not be exposed. 
    The problem affects devices running Cisco IOS software, including most,
    but not all, Cisco router products, according to Cisco.  The company says
    the glitch affects versions 9.1 and later of its IOS software. 
    We've got a problem 
    "This is certainly cause for concern," said John Bashinski, a spokesman
    for Cisco. "We want to see people upgrade if they can reasonably do so.
    This potentially gives away a password. Obviously, that's something you
    don't want to give away."
    The opening would let hackers -- who would only need to establish a
    terminal connection -- to reproduce "nearly complete lines, and fragments
    tens of characters long," according to a document posted on Cisco's Web
    Bashinski said Cisco has issued fixes that can be downloaded from the
    company's Web site. He declined to gauge the severity of the problem --
    which he described as a "vulnerability caused by a bug" -- but suggested
    that customers download the fix. 
    "If it was in my network, I would look at upgrading," he said. "I wouldn't
    Analysts also weren't panicked, though they also weren't advising
    "It would be potentially a disaster if such a security breach were to take
    place," said Craig Mathias, president of Farpoint Group in Ashland, Mass. 
    This is only the latest instance of an Internet-related product found to
    be vulnerable because of a software glitch. In recent months, at least one
    other Cisco bug has been discovered, as well as bugs that compromise
    Internet browsers made by both Microsoft Corp. and Netscape Communications
    Mathias said the bugs can't be avoided. "All software has bugs, and the
    bigger the software gets, the more bugs it has." 
    They keep knocking
    "The underlying significance here is we have more and more people looking
    at ways to get into and get access to systems that are critical to the
    Internet," said Rob Enderle, an analyst at Giga Information Group, who
    expressed doubt in the ability of vendors to consistently produce
    glitch-proof products. 
    "There's just too much change going on," he said. "The technology is going
    to have to stabilize for a while until much heavier security can be
    wrapped around a more simplified structure. What we're waiting for is a
    major disaster. That's what it'll take to get us to a more secure
    environment."  --
    Subscribe: mail majordomot_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:07:51 PDT