Exploit Available for Cisco IOS Vulnerability 277
GNUman writes "Cisco's IOS vulnerability, posted by Slashdot and CERT, has now a published exploit available, as reported recently by CERT. While there are some some articles claiming that the Internet survived a major flaw, maybe with a publicly available exploit could script kiddies start creating havock?. jerw134 wanted to start a pool to find out when the exploit would be publicly available, here's the answer."
Re:Great... (Score:5, Informative)
The patch is extremely easy to come by. Do a "sh ver" on your router, and send the output to tac@cisco.com, and ask for an updated IOS. They'll likely be back to you within an hour or so.
steve
Re:Tell me why (Score:5, Informative)
After I got him the info, it was only a few minutes before the patch link was sent to me for download. The whole thing was done before lunch today - and that's for a little piss-ant customer with no service contract and a single router.
I think that's about as simple as it needs to be, personally. There's different versions of IOS for different devices, and all sorts of supported code revisions to deal with - it's not like Windows where you have a core version and service packs/hotfixes you may or may not have applied in random combination. Typically, if you have a Cisco router and it's working you'll only want to apply the minimum possible fix to the specific version you're running. So it's a pretty darned complex upgrade matrix. I, for one, am perfectly happy to let TAC guide me through it.
Protocol Independent Multicast? (Score:3, Informative)
grep 103
pim 103 PIM # Protocol Independent Multicast
Re:hmm, and suddenly today roadrunner is dog-slow. (Score:2, Informative)
RR in upstate NY has bee dog-ass slow for 2 days straight now... despite the "network status" page being filled with "area down for cable maintenance/upgrades" for 3 days.
Oh look.. it says there's nothing wrong in my area.. bullshit!
Re:Protocol Independent Multicast? (Score:5, Informative)
I've already posted a lot of information regarding this on the Nanog list.. but the "exploit" that has been release (shadowchode) isn't required to exploit this bug
Re:Where is the Exploit ? (Score:5, Informative)
enormous ddos potential - patch right away! (Score:5, Informative)
Imagine your typical packet kiddie running dozens of instances of the following pseudocode on his farm of a few hundred trojaned boxes:
}
If you haven't patched already - do it now.
Re:Exploits et al., (Score:3, Informative)
In this post, he said:
Writing websites in C is generally a very bad idea. It does horrible things to the security - introduces buffer overflow problems. And the speed increase, when it even exists (Java's performance is better than most people think), is not worth the extra programmer time.
In an older post [slashdot.org], he said:
...so, apparently, he mostly uses the interpreted languages he just dissed stupidly.
The rest of the post is just stupid buzzwords:
More colors = more information = more time to download, but that O(log n) is stupid and wrong. And the other stuff is even more gibberish. This exploit has nothing to do with web applications, anyway.
MOD PARENT DOWN (Score:1, Informative)
The discoverer notified Cisco and everyone else, but held back on the exploit code until Cisco had a chance to work on it. Now that the word is out as well as the patch, don't waste time here when you should be patching your CATs (or looking for a new job).
sheesh.
Re:Importance of shaming they who published the ex (Score:1, Informative)
THEY HELD BACK ON THE EXPLOIT CODE UNTIL CISCO COULD DEVISE A PATCH.
Larger customers (ISPs, etc.) were taken care of in advance of the general public notification. Independent parties were no doubt already working on their own exploit code. It's quite common to release the patch and the exploit code at the same time; in fact, some parties prefer to release 0-Day exploit code... let's just be glad these particular folks didn't.
Here is the exploit the article is talking about (Score:2, Informative)
Cisco IOS Exploit [idefense.com]
You can also easily create the exploit using hping2.
Re:Great... (Score:4, Informative)
Also, I haven't had to mail TAC yet for any of the routers (30, and counting) I've had to upgrade. My new code has been available throught the traditional channel (Cisco's Software Center).
People that are having to mail the TAC are doing so because they have no support contract (thus, no access to the Cisco Software Center), or because the code for their specific platform doesn't appear to be available through the Software center.
Source for shadowcode Exploit (Score:5, Informative)
Heres a link [chiyocon.com] to the source in b64 format, you can extract it with:
openssl base64 -d -in cisco.txt -out cisco.tgz
Happy testing!
The fix... (Score:5, Informative)
Interfaces with PIM enabled have not been found to be vulnerable to exploit traffic with protocol
103; PIM traffic may be permitted to those select devices.
access-list 101 deny 53 any any
access-list 101 deny 55 any any
access-list 101 deny 77 any any
access-list 101 deny 103 any any
!--- insert any other previously applied ACL entries here
!--- you must permit other protocols through to allow normal
!--- traffic -- previously defined permit lists will work
!--- or you may use the permit ip any any shown here
access-list 101 permit ip any any
Re:updates (Score:3, Informative)
Of course, there are also freely available perl and expect scripts out there that would allow you to do the same thing.
Re:Great... (Score:5, Informative)
I sent one email, and in return, got all of the IOS versions that I needed for my routers. I'd definitely say that was "extremely easy".
Maybe you mean that I can just tell Linus what kind of computer I have, and he'll send me over a tarball of 2.4.21, pre-configured with the options I'd like?
you don't have to email somebody and wait an hour to get the exploit
If you have a CCO account, then you don't have to wait an hour, you log in and pick it up. Super-mega-fabuloso-easy.
steve
Re:Great... (Score:3, Informative)
There are various channels from which to get the IOS. If you have a CCO account and know which version you want/need, you just log in and download it. There are also other ways of getting it, but as a "last-ditch" (or "too-lazy") method, you can email their support group directly.
steve
Re:Contact your network company (Score:2, Informative)
Re:Great... (Score:3, Informative)
You have a Cisco 2610...
What Feature pack?
Re:Contact your network company (Score:3, Informative)
Re:I dont get it..... (Score:1, Informative)
Re:Contact your network company (Score:3, Informative)
Huh? It's cheaper to drop a packet at the process switching level than to actually forward it to the process that implements the corresponding service.
We are talking about packets targeted at the router, and filters for them are not necessarily in the forwarding path (they can be implemented there to protect the main CPU(s) from DDOS attacks, of course). For forwarded packets, you are correct that this is problematic on core routers, e.g. very few GSR linecards support more than a few dozen ACL entries per interface, some do not support any filters at all.
Re:Contact your network company (Score:3, Informative)
I'm not sure what you are talking about. "Fast switching" is an obsolete Cisco marketing. Maybe this is an accident and you allude to the possibility that filters decrease forwarding performance. However, quite a lot Cisco routers support either wirespeed ACLs or specific ACLs for traffic directed at the router (which do not impact forwarding performance).
Re:Contact your network company (Score:3, Informative)
http://www.cisco.com/en/US/products/sw/iosswrel/p
http://www.networkcomputing.com/902/902sp2.html [networkcomputing.com]
http://www.cisco.com/univercd/cc/td/doc/product/s
http://www.faqs.org/faqs/cisco-networking-faq/sec
Re:Great... (Score:3, Informative)
ftp://user:pass@ftp.cisco.com/cisco/ios/