It seem like Cisco has rapidly become one of my favorite things to talk about on this blog. Cisco shipped 3 security updates today for a variety of problems. The worst problem, if taken advantage of, could stop a router from passing traffic and could have the potential for code execution. This isn’t good, in fact it’s bad. This should make network engineers who live in Cisco only shops very afraid. Diversify your solutions; it’s the only way to make a survivable network these days.
Errata customers should have access to the briefs on the vulnerabilities with full HEVs coming soon. The three vulnerabilities are in the handling of TCP packets, IP options, and IPv6 packets. I find this to be a bit humorous because if you don’t know, I worked on the same Advanced Research and Development team as Mike Lynn did while at ISS. In fact we use to all sit in a big room together. The reason all that Cisco research started in 2005 was that Cisco refused to share information on an IPv6 vulnerability that was released in January of ‘05 and here we have another one. With the advances in reverse engineering and the availability of better tools I wouldn’t be at all surprised if someone had and was passing around a Proof-of-Concept for any of these bugs that at least perform a Denial-of-Service.
Again let me state for the record how I feel about this: do not buy a single vendor solution for something as important as the very basis for how your network operates. I know you may get volume discounts or sales reps might take you to nice lunches but eventually something like this will happen. Do you really want to be up all night wondering if your network can be patched faster than hackers can develop a working exploit? And remember, they don't need to get a shell, they just need a DoS to cause havoc.
Interesting and timely post from Halvar about using BinNavi on embedded systems (like IOS).
1 comment:
The worst problem, if taken advantage of, could stop a router from passing traffic
This sounds familiar. Interesting how these vulns affect every IOS device since day-zero (all versions).
Zero-day day-zeroes are neat.
With the advances in reverse engineering and the availability of better tools I wouldn’t be at all surprised if someone had and was passing around a Proof-of-Concept for any of these bugs that at least perform a Denial-of-Service.
Since I happily discovered the Cisco IPv4 vulnerability in 2003 (somebody else released the PoC), I can tell you that it took me a whole 3 hours to discover the bug. The PoC release followed 6 hours after that time period.
It took longer for people to come up with snort signatures to find the PoC than it did for us to invent, test, and release it.
As a result, IP protocols 53,55,77,&103 are still blocked globally on the Internet. That's an easy workaround!
And "slipping in through the window" is still a problem on the Internet regardless of TCP/IP stack implementors' work on the matter post CanSecWest, IETF, and NANOG review.
The reason all that Cisco research started in 2005 was that Cisco refused to share information on an IPv6 vulnerability
Huh. This all is starting to sound really familiar. I'm getting some serious deja-vu. Oh yeah - ciscofun.blogspot.com doesn't appear to be taken yet.
Do you really want to be up all night wondering if your network can be patched
By "patched" do you really mean `rolling reboots'? Don't worry, the operators will use TFTP (a cleartext UDP-based protocol) to load the new images. Great success!
I know you may get volume discounts or sales reps might take you to nice lunches
I would be surprised if Enterprises will ever change their ways on this matter. Most see downtime and security problems as a way to sue their ISP or at least get SLA credits.
ISP's don't understand this problem either. However, they do get priority upgrades from Cisco and custom code. I'm sure that will be enough to avoid an incident. Right?
Finally, I also fail to see how a single vendor would alleviate this issue. Most companies only have one router. Or they have two routers, but they don't have BGP. Or they have BGP, but they don't have it setup correctly. Or they have it setup correctly, but run their network at 60% or more, and not even at peak traffic levels.
My favorite thing about Cisco (and the lure to it for most network engineers) is all the buts, ifs, ors, and kindas that exist when you design or configure something. It's a vulnerability assessor's wet dream.
Post a Comment