[ISN] Security software crashes Cisco kit

From: InfoSec News (isnat_private)
Date: Fri May 25 2001 - 10:47:43 PDT

  • Next message: InfoSec News: "[ISN] Insurer Considers Microsoft NT High-Risk"

    http://www.theregister.co.uk/content/5/19215.html
    
    By John Leyden
    Posted: 25/05/2001 at 12:14 GMT
    
    Probing Cisco's networking equipment with vulnerability scanning
    software is liable to crash its boxes, the networking giant has been
    forced to admit.
    
    The problem, which is due to a flaw in the design of Cisco's IOS
    (Internetwork Operating System) software, can be exploited to produce
    a consistent denial of service (DoS) attack.
    
    Cisco has advised customers using affected IOS software - 12.1(2)T and
    12.1(3)T - to upgrade to later versions of the software, which it has
    promised to make freely available. The issue affects a large number of
    Cisco's router products and some of its LAN switches. More information
    on the issue is available here.
    
    The DoS aspect of the flaw was discovered by what Cisco describes as
    "many" of its customers who uncovered the bug while conducting
    security scans of their networks. Despite this Cisco said it is yet to
    receive reports of malicious exploitation of the problem.
    
    In its security notice Cisco stated: "Security scanning software can
    cause a memory error in Cisco IOS Software that will cause a reload to
    occur. The described defect can be used to mount a denial of service
    (DoS) attack on any vulnerable Cisco product."
    
    Gunter Ollman, principal consultant at Internet Security Systems,
    which markets vulnerability scanning software, said that just about
    any vulnerability scanner would include a port scanner.
    
    He added that the ports associated with the IOS bug are used by Trojan
    horse programs and would therefore routinely be scanned when a
    customer decided to audit the security of a network.
    
    It's unclear how widely deployed affected products are but Ollman
    suggested that the defect was so obvious that it couldn't have gone
    unnoticed for long. He believes that upgrading an affected device is
    relatively straightforward but admits that this is just an educated
    guess on his part.
    
    Last June, different versions of IOS were discovered to be subject to
    an eerily similar type of denial of service vulnerability which, like
    the latest bug, could be triggered by security scanning software. This
    would appear to call for a rewrite of this part of the software and
    we'd dearly love to quiz Cisco on this.
    
    Unfortunately Cisco hasn't responded to our offer of cash for
    interviews. From a number of emails I've received from Register
    readers about their attempts to gain advice on patching up security
    holes with 600 series routers, it seems like the Borg aren't talking
    to their customers either. All enquiries are been referred to the
    users' service providers.
    
    I've been paid today and am prepared to dip into my pocket for a
    chance to properly quiz Borg Central on this. Any payment must not
    conflict with my ability to pay for a round at the bar tonight. After
    all it is bank holiday weekend and some things are sacred...
    
    [Cisco security advisory:
    http://www.cisco.com/warp/public/707/ios-tcp-scanner-reload-pub.shtml ]
    
    
    ISN is hosted by SecurityFocus.com
    ---
    To unsubscribe email isn-unsubscribeat_private
    



    This archive was generated by hypermail 2b30 : Sun May 27 2001 - 03:38:00 PDT