[ISN] Attacks already exploiting Cisco IOS vulnerability

From: InfoSec News (isnat_private)
Date: Mon Jul 21 2003 - 01:28:34 PDT

  • Next message: InfoSec News: "[ISN] Calculating security ROI is tricky business"

    http://www.nwfusion.com/news/2003/0718cisattacks.html
    
    By Paul Roberts
    IDG News Service
    07/18/03
    
    Security experts are warning that ready-made code which exploits a
    recently announced Cisco IOS software vulnerability is circulating and
    attacks using the exploit are taking place.
    
    Cisco did not respond to requests for comment, but updated its IOS
    bulletin to say that it is aware that an exploit had been published on
    a public mailing list.
    
    On Wednesday, Cisco warned of a widespread and serious flaw in IOS
    that could make devices using the operating system vulnerable to a
    denial-of-service (DoS) attack.
    
    The flaw affects a wide range of Cisco devices that run IOS and accept
    data packets using IPv4, including Cisco's popular Catalyst family of
    switches, 7300 series routers and Aironet family of wireless access
    points.
    
    The exploit was posted to prominent security discussion lists by an
    unknown individual using the name "Marion Barry" and an e-mail address
    at the free Hotmail e-mail service.
    
    Security provider Internet Security Systems Inc. said that it had
    tested the code contained in that message and that it works, according
    to Dan Ingevaldson, engineering director for ISS X-Force.
    
    The code contains a small program written in the C programming
    language that makes it easy to quickly develop an exploit using the
    IOS vulnerability, Ingevaldson said.
    
    "It's probably 200 lines. All it does is give you instructions on how
    to create an exploit. You just point at a target and it will fire an
    attack," he said.
    
    A malicious hacker with a "moderate degree of sophistication" could
    run the exploit, according to Shawn Hernan, a member of the technical
    staff at the CERT Coordination Center.
    
    ISS received reports Friday of the code being copied widely on the
    Internet and used in attacks on Internet service providers and major
    Internet backbone providers.
    
    ISS does not know where the exploit came from, but was surprised by
    the speed with which it appeared, according to Ingevaldson.
    
    "All I know is that there was an update on the Cisco bulletin and a
    few hours later there was an exploit," he said, referring to Cisco's
    modification of its earlier security bulletin regarding the IOS
    vulnerability.
    
    That update bulletin gave more specific information than was first
    released on what protocols could be used with IPv4 data packets to
    trigger the IOS vulnerability and create a denial-of-service attack on
    vulnerable Cisco devices.
    
    "Maybe it was not as hard as people thought," Ingevaldson said.
    
    Providing more information on the vulnerability is a "double-edged
    sword," Hernan said.
    
    The additional information provided by Cisco allowed organizations to
    create more focused access control lists to thwart attacks, and
    provided needed information to companies creating intrusion detection
    signatures to block the new attack traffic, he said.
    
    However, it also may have given important clues to those interested in
    creating code to exploit the vulnerability.
    
    CERT was aware of heightened interest in the IOS vulnerability within
    online communities of individuals interested in computer intrusion,
    Hernan said. But it is unclear whether the updated bulletin provided
    the clues needed to create a successful exploit, he said.
    
    "It might have been a matter of time. No one can really know," he
    said.
    
    The quick appearance of an exploit follows similar releases for
    vulnerabilities affecting the Apache Web server, and Microsoft's
    WebDAV HTTP protocol extensions.
    
    "It kind of unseats the common adage that there's a 30-day window
    after an exploit is developed," Ingevaldson said.
    
    Customers are advised to patch affected Cisco systems at the earliest
    convenience and also apply workarounds such as access control lists
    (ACL) to block attack traffic, in keeping with guidelines released by
    Cisco.
    
    Ingevaldson noted that even patched routers will pass attack traffic
    on to other devices, allowing attack traffic to circulate until a
    vulnerable Cisco device is found, making the use of ACLs more
    important, he said.
    
    But Hernan disputed that, saying that while patched routers will pass
    traffic along, malicious traffic must target a specific Cisco device.
    
    In addition to Cisco, both CERT and the SANS Institute issued warnings
    about the exploit.
    
    The U.S. Department of Homeland Security was also informed of the
    circulating exploit, according to SANS. A DHS spokeswoman had no
    comment.
    
    Organizations using Cisco products with vulnerable versions of the IOS
    operating system were strongly encouraged to review the security
    bulletin and upgrade to a patched version of IOS. In addition,
    customers should review the updated workaround information provided by
    Cisco in the bulletin, SANS said.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Jul 21 2003 - 04:36:11 PDT