Errata loves ebay

Anybdoy wanna guess what these are for? If you said reversing Cisco routers for exploit and vulnerability dev you would be right. Because Cisco refuses to share vuln information with anybody, Errata is one of the few companies you can go to for details on cisco flaws.

Stop me if you heard this one...So A priest, A rabbi, and Cisco IOS walk into a bar…

Cisco devices running IOS which support voice and are not configured for Session Initiated Protocol (SIP) are vulnerable to a crash under yet to be determined conditions, but isolated to traffic destined to Port 5060. SIP is enabled by default on all Advanced images which support voice and do not contain the fix for CSCsb25337. There are no reports of this vulnerability on the devices which are properly configured for SIP processing. Workarounds exist to mitigate the effects of this problem.

http://www.securityfocus.com/archive/1/458661/30/0/threaded

No really, I can’t buy humor like this. Since my day job is analyzing security problems let me give you readers my professional opinion on this one. In order for Cisco to release an advisory for a “yet to be determined condition” that must mean a very large or several large customers would have to be complaining because their infrastructure is getting hit with this.

Why build a 100,000 botnet army when you can DoS a site with a few packets?

So this might actually be Cisco 0day in the wild! Or it could just be a badly configured SIP client that doesn’t respect the RFC very well that is accidentally bringing down companies. Since the Cisco VoIP solution does not use SIP, it uses SCCP I wonder how many Cisco VoIP solutions are vulnerable to something like this. Of course I am just speculating until I find the problem (and trust me I am looking heavily right now) but its very unusual for Cisco to release an advisory for a problem they can’t pin down yet and since they don’t share security information there isn’t much else that can be done beside run a SIP fuzzer. BTW although they say it later in the post a reload is a spin kind of way of saying this will lead to a denial-of-service attack. Ordinarily DoSes are lame, unless they can stop an entire infrastructure from working, then they become cool.

Errata Security is currently researching this new threat and will alert customers as soon as we have it pinned down.

So let me restate something that seems to be a weekly thing: Diversity is a great way to ensure either a malicious kid or just plain bad software doesn’t bring down your network.

UPDATE: If you are a Cisco customer, ask them why they don't share security information with security vendors. If they try the national security line please roll your eyes.

Its Cisco again….again…

It seem like Cisco has rapidly become one of my favorite things to talk about on this blog. Cisco shipped 3 security updates today for a variety of problems. The worst problem, if taken advantage of, could stop a router from passing traffic and could have the potential for code execution. This isn’t good, in fact it’s bad. This should make network engineers who live in Cisco only shops very afraid. Diversify your solutions; it’s the only way to make a survivable network these days.

Errata customers should have access to the briefs on the vulnerabilities with full HEVs coming soon.

The three vulnerabilities are in the handling of TCP packets, IP options, and IPv6 packets. I find this to be a bit humorous because if you don’t know, I worked on the same Advanced Research and Development team as Mike Lynn did while at ISS. In fact we use to all sit in a big room together. The reason all that Cisco research started in 2005 was that Cisco refused to share information on an IPv6 vulnerability that was released in January of ‘05 and here we have another one. With the advances in reverse engineering and the availability of better tools I wouldn’t be at all surprised if someone had and was passing around a Proof-of-Concept for any of these bugs that at least perform a Denial-of-Service.

Again let me state for the record how I feel about this: do not buy a single vendor solution for something as important as the very basis for how your network operates. I know you may get volume discounts or sales reps might take you to nice lunches but eventually something like this will happen. Do you really want to be up all night wondering if your network can be patched faster than hackers can develop a working exploit? And remember, they don't need to get a shell, they just need a DoS to cause havoc.

Cisco alerts.

Interesting and timely post from Halvar about using BinNavi on embedded systems (like IOS).

Cisco Stuff...again

This posted started as a reply to a comment but kind of took on a life of its own…

Its funny you mention this. Cisco is an odd duck in the security space for a few reasons with the first being that they really don’t want anyone to have information on their vulnerabilities. This is different than a lot of other vendors who belong to information sharing groups and such and will work with security vendors to help make sure that there is as much protection as you can get for a vulnerability. They do this by sharing details and even some times packet caps of vulnerabilities to make sure protection can be quickly and accurately crafted.

They claim this is for “national critical infrastructure” reasons and what not. Responses are pretty general, “a single router exploit could bring down the internet and countless government and military installations.” (Note to readers: Cisco makes my point about buying single vendor solutions for me with these kinds of responses. If you are planning disaster recovery strategies do your security officer a favor and make sure it’s a diverse solution).

I do not doubt their claims, but they seem to imply that sharing information with other vendors is the equivalent of handing it to hackers. You want to know the real reason they don’t share? Ever been in a Cisco sales pitch? I sure have and this is what I heard:

“If you have a Cisco shop you HAVE to buy Cisco security products. We don’t release details to any other security vendor so if you want to be able to protect against threats to Cisco gear you need to buy Cisco security gear!”

Cisco will not be giving up a competitive advantage like that any time soon and if any one tells you they would, look at them like they have just grown a second head. What’s the point of all this you may be asking… Because Cisco likes to keep their technology closed and they don’t share things like security information with any third party how can you even be sure they fixed a problem?

What is the solution for this problem? 3rd parties that can reverse Cisco security updates and provide that information to interested parties. So to answer the initial question, yes we are looking at Cisco products.

The behemoth awakens…and feeds…

http://www.ironport.com/company/ironport_pr_2007-01-04.html

FEED THE MOSTER!!! I mean what an interesting acquisition for Cisco. One has to stop and wonder how Cisco is going to make all this stuff work together. All joking aside it does make sense but the price seems really high. Cisco does need to do something about spam to keep their iron like grip on network infrastructure.

My only feeling about this is fear that everyone will really buy into the single vendor solution crap. For people who think that buying everything from one company is a way to go you will notice that companies that large will have divisions that appear to outsiders to be different companies. An example of this is a switch support engineer blaming a firewall support engineer for a problem and vice versa. Did this really buy you anything by having everything under one roof aside from the same slow response to security problems for all your products instead of just one?

I can see the Cisco promotions now: with any purchase of a switch or router you get a free antispam box! This doesn’t bode well for other purchases this year.