Exploit Available for Cisco IOS Vulnerability 277
GNUman writes "Cisco's IOS vulnerability, posted by Slashdot and CERT, has now a published exploit available, as reported recently by CERT. While there are some some articles claiming that the Internet survived a major flaw, maybe with a publicly available exploit could script kiddies start creating havock?. jerw134 wanted to start a pool to find out when the exploit would be publicly available, here's the answer."
Them Script Kiddies (Score:4, Funny)
the internet's old plight.
Goin' all around,
usin' hacks they didn't write.
Them Script Kiddies lurk the net,
as devious little foes.
Keep them admins well employed,
and keeps them on their toes!
When Script Kiddies learn a trick,
it makes for one tight spot.
If you ain't patched up to date,
think again, because you ought.
How to be a Script Kiddy,
logon the net ad hoc.
Google for the hack you want,
and start your own havoc.
Great... (Score:4, Interesting)
Anyone else gone through hell today trying to get the patch from Cisco?
Grrr... >-/
Re:Great... (Score:5, Informative)
The patch is extremely easy to come by. Do a "sh ver" on your router, and send the output to tac@cisco.com, and ask for an updated IOS. They'll likely be back to you within an hour or so.
steve
Re:Great... (Score:2, Insightful)
However, you have to email cisco to get an update from their screw up?
?????
Ill remember this when it comes time to buy network hardware.
Re:Great... (Score:3, Informative)
There are various channels from which to get the IOS. If you have a CCO account and know which version you want/need, you just log in and download it. There are also other ways of getting it, but as a "last-ditch" (or "too-lazy") method, you can email their support group directly.
steve
Re:Great... (Score:2, Insightful)
What would you call it if they had just provided in their advisory a publically-accessible link from which to download the patch? "ultra-easy"? How about running "apt-get upgrade"? "hyper-easy"? Or having the patch automatically installed for you by Windows Update? "mega-easy"?
Obviously, I'm not saying that Cisco should adopt any of these specific methods, but
Re:Great... (Score:4, Informative)
Also, I haven't had to mail TAC yet for any of the routers (30, and counting) I've had to upgrade. My new code has been available throught the traditional channel (Cisco's Software Center).
People that are having to mail the TAC are doing so because they have no support contract (thus, no access to the Cisco Software Center), or because the code for their specific platform doesn't appear to be available through the Software center.
Re:Great... (Score:5, Informative)
I sent one email, and in return, got all of the IOS versions that I needed for my routers. I'd definitely say that was "extremely easy".
Maybe you mean that I can just tell Linus what kind of computer I have, and he'll send me over a tarball of 2.4.21, pre-configured with the options I'd like?
you don't have to email somebody and wait an hour to get the exploit
If you have a CCO account, then you don't have to wait an hour, you log in and pick it up. Super-mega-fabuloso-easy.
steve
Re:Great... (Score:2)
Tin Foil Hat Time (Score:2)
So far it has been 4 hours since my e-mail... no response whatsoever
Lemme guess.
Your request for help to cisco.com is not really going to go to 198.133.219.25 but to, uhm, a new different, uh, help center, that will be happy to send you an IOS sploit^H^H^H^H^H^H update to have you up and going in a jiffy.
Re:Great... (Score:2)
I haven't paid Cisco a dime. I bought the routers second-hand, and don't have a service contract.
steve
Re:Great... (Score:2)
Re:Great... (Score:2)
The bandwidth drain can't be that high, and keeping those customers happy will probably mean repeat business.
In fact, I'm betting that having to deal wit
Re:Great... (Score:2)
In any case the TAC has some good folks and a bunch of phone monkeys. I have had some of them help me solve large complex problems and just like today to get an update I go online open up a call just to make sure I'm getting the right thing and knowing that they will need all kinds of info I attached a show tech to the call. What do I get an email containing a request for a show ver. So
Re:Great... (Score:2)
Re:Great... (Score:2)
Wow. Yesterday, I just emailed TAC, gave them the output of "sh ver" for each router, and asked for the appropriate IOS. Within an hour, I had the files that I needed.
I'd just tell him "Look, this is what I have: (include the sh ver). Please tell me which IOS version I need, and please publish it for me."
steve
Re:not that easy (Score:2)
Re:not that easy (Score:2)
Re:Great... (Score:3, Interesting)
Re:Great... (Score:2)
But here's my insightful comment for the day- Cisco is going to have a mint spam list at the end of this. "Hey boss? I just realized that 30,000 people with 100 thousand dollar routers just emailed us with verified addresses." Boss: "I need a paper towel"
Re:Great... (Score:3, Informative)
ftp://user:pass@ftp.cisco.com/cisco/ios/
Surely (Score:3, Funny)
Re:Great... (Score:3, Informative)
You have a Cisco 2610...
What Feature pack?
Contact your network company (Score:5, Insightful)
Re:Contact your network company (Score:5, Funny)
Re:Contact your network company (Score:3, Interesting)
They may use Juniper routers, but if your contract with them includes their maintenance of CPE they provided for you, and the CPE is Cisco, you're still screwed, aren't you?
Re:Contact your network company (Score:5, Insightful)
First of all, your network might be running on non-Cisco gear (yes, there are other vendors).
Second, the fact that so many NOCs have to apply emergency patches is scaring. I can understand that NOCs hesitate to install the latest release just after it has been published (some of the releases which include the fix have been available for months), but this particular bug only affects you if your router is insufficiently protected by ACLs against all kinds of malicious traffic. You really want to install such ACLs to mitigate the effect of typical DoS attacks targeted at the router itself, and if you've done your homework, bugs like the present one do not require emergency maintainance.
Re:Contact your network company (Score:2, Informative)
Re:Contact your network company (Score:3, Informative)
Huh? It's cheaper to drop a packet at the process switching level than to actually forward it to the process that implements the corresponding service.
We are talking about packets targeted at the router, and filters for them are not necessarily in the forwarding path (they can be implemented there to protect the main CPU(s) from DDOS
Re:Contact your network company (Score:3, Informative)
Re:Contact your network company (Score:3, Informative)
I'm not sure what you are talking about. "Fast switching" is an obsolete Cisco marketing. Maybe this is an accident and you allude to the possibility that filters decrease forwarding performance. However, quite a lot Cisco routers support either wirespeed ACLs or specific ACLs for traffic directed at the router (which do not impact forwarding performance).
Re:Contact your network company (Score:3, Informative)
http://www.cisco.com/en/US/products/sw/iosswrel/p s 1831/products_configuration_guide_chapter09186a008 00ca6c8.html">http://www.cisco.com/en/US/products/ sw/iosswrel/ps1831/products_configuration_guide_ch apter09186a00800ca6c8.html [cisco.com]
http://www.networkcomputing.com/902/902sp2.html [networkcomputing.com]
http://www.cisco.com/univercd/cc/td/doc/product/so ftware/ios121/121cgcr/switch_c/xcprt1/xcdipsp.htm [cisco.com]
http://www.faqs.org/faqs/cisco-networking-faq/sect ion-20.html [faqs.org]
Re:Contact your network company (Score:2)
Yes, your NOC better get their Cisco gear out of service until they have the patch in. Otherwise someone could crash the Cisco and make your network connection unusable!
Or something... "We had to destroy the network in order to save it."
Tell me why (Score:5, Insightful)
Re:Tell me why (Score:5, Informative)
After I got him the info, it was only a few minutes before the patch link was sent to me for download. The whole thing was done before lunch today - and that's for a little piss-ant customer with no service contract and a single router.
I think that's about as simple as it needs to be, personally. There's different versions of IOS for different devices, and all sorts of supported code revisions to deal with - it's not like Windows where you have a core version and service packs/hotfixes you may or may not have applied in random combination. Typically, if you have a Cisco router and it's working you'll only want to apply the minimum possible fix to the specific version you're running. So it's a pretty darned complex upgrade matrix. I, for one, am perfectly happy to let TAC guide me through it.
Re:Tell me why (Score:2)
Re:Tell me why (Score:2, Insightful)
Re:Tell me why (Score:2)
Re:Tell me why (Score:2)
Re:Tell me why (Score:2)
"Creating" havock... (Score:4, Insightful)
Go Open Source (Score:5, Funny)
tried it... works quite well (Score:2, Interesting)
-orbit0r
Whew. (Score:5, Funny)
Dear Slashdot, (Score:5, Funny)
Thanks heaps.
Regards,
Cisco Systems.
Re:MOD PARENT DOWN (Score:4, Insightful)
This is not the CatOS vulnerability, which was announced a week ago. This is a vulnerability in IOS (not CatOS), that Cisco discovered themselves (apparently a while ago, based on some of the build dates). It has been on the public lists for about 2 days now.
If you're going to mock someone, make sure you have your fact straight.
Protocol Independent Multicast? (Score:3, Informative)
grep 103
pim 103 PIM # Protocol Independent Multicast
Re:Protocol Independent Multicast? (Score:5, Informative)
I've already posted a lot of information regarding this on the Nanog list.. but the "exploit" that has been release (shadowchode) isn't required to exploit this bug
Importance of shaming they who published the explo (Score:5, Insightful)
There was very little time to act upon the new IOS version that Cisco provided to the public. The software upgrades were available to the public on Thursday morning at 00:00. CERT made their announcement about 15 minutes later. Today, the exploit is public. That is less than 48 hours to upgrade the hundreds of thousands (if not million+) Cisco routers across the world.
This is the most important security event effecting the Internet since the root DNS server attacks some time back, and this one is potentially much more severe. I have been surprised at the lack of media attention of this issue, or how some of my technical colleges have treated it. They don't seem to understand how many Cisco routers are out there.
It needs to be shown that by making the exploit of this vulnerability public so soon, the persons who did this only did so for publicity gain at the expense of others.
They hurt others to profit themselves, and that is no more cool than slavery is. And what did they get out of it? "My dick is bigger than yours."
I just don't want this to pass over and the people who made this exploit public think that what they did was cool, or that they are going to get a lot of admiration or karma for it. If they like the Internet, which they probably do, they just did the most harmful thing to it as they could have possibly done.
Some companies did have timely responses.. (Score:2)
Re:Importance of shaming they who published the ex (Score:2)
That's less than 48 hours, depending on which timezone you live in. Should be an interesting weekend for some.
Re:Importance of shaming they who published the ex (Score:3, Insightful)
Why? Most ISPs are very grateful to have something to test if their countermeasures are effective.
Do you really want to upgrade all your core routers at once, and take the risk of introducing a bug which brings down your whole network? It's often better to apply some workaround and schedule an incremental update. In this case, you really want to test if your workaround is effective.
Re:Importance of shaming they who published the ex (Score:2)
Personally, I want to throw the exploit against some of my own equipment just for fun too.
There will be Cisco devices vulnerable to this exploit for years to come. As a consultant, I commonly come across old Cisco routers that have not had their software upgraded in years. N
Who do you work with for chrissakes? (Score:2)
Your colleagues don't realize how many Cisco routers are out there? What, are your colleagues monkeys or something? That's like saying they didn't know how many copies of windows are running out there. Man, do I feel sorry for you. How many emails do *you* get a day that consist of "What's my password?" ?
Re:Importance of shaming they who published the ex (Score:4, Insightful)
It sounds to me like Cisco needs to get their genius engineers together to come up with a better way to distribute IOS images - one that does not involve e-mail, perhaps!
What the people did _was_ cool. They contacted Cisco a while back. Then they released the exploit almost *2 days* after the patch was announced.
Nice try bringing slavery in to this. That's rediculous.
"most harmful thing to it they could have possibly done." Please. Even if they released it 2 seconds before the patch was available, the Internet may have had instability for a day or two while Cisco ships out CDRs to everyone so they can fix it.
To those that choose full disclosure for security - I applaud you! I really appreciate having a program available that allows me to test if my systems are vulnerable and remain vulnerable post-patching.
Re:Importance of shaming they who published the ex (Score:2)
I like full disclosure -- just not within 48 hours of such a major vulnerability.
Almost two days is not sufficient time given the quantity of systems that this problem effects and the severity of the problem.
Re:Importance of shaming they who published the ex (Score:2)
So do them in parallel.
Hell, give me access. I'll upgrade a few million routers in less than 48 hours, no prob.
And I am a lazy pothead sys admin. I don't even work on routers.
Re:Importance of shaming they who published the ex (Score:2)
Upgrade with care. Even the most r
Re:Importance of shaming they who published the ex (Score:3, Insightful)
No one outside Cisco had seen this until a few days ago. The problem is, once Cisco announced it, there were only so many combinations that could cause the problems they were mentioning, and someone found them, and posted it to Full-Disclosure.
enormous ddos potential - patch right away! (Score:5, Informative)
Imagine your typical packet kiddie running dozens of instances of the following pseudocode on his farm of a few hundred trojaned boxes:
}
If you haven't patched already - do it now.
Just Fix It (Score:5, Insightful)
Cisco released the fix two days ago to backbone providers. Other large customers could get the fix early yesterday. If you're affected by this vulnerability and it's not fixed yet:
It seems like Cisco handled this one correctly with the providers. I'm not sure how well large customers were handled, my guess is the .edu folks probably got screwed again.
Re:Just Fix It (Score:3, Insightful)
I work for an ISP. We have about 40-odd routers of various sizes. Six months ago we began upgrading their IOSes to handle IPv6. Last Wednesday we finished. We weren't pissing about; we were picking builds, checking to make sure they supported the features we needed, checking for critical known bugs, deploying them, finding bugs, sometimes scaling back. Some of these problems didn't reveal themselves for a week or two after deployme
Just tried it.. (Score:5, Funny)
Is this a problem of feature inflation? (Score:3, Interesting)
Re:Is this a problem of feature inflation? (Score:2)
It's amazing it's gone this long without being found.
updates (Score:2)
Re:updates (Score:3, Informative)
Of course, there are also freely available perl and expect scripts out there that would allow you to do the same thing.
That reminds me of "don't do drugs" camp (Score:4, Funny)
4 years later... dang! Why are all the students on crack?
Here is the exploit the article is talking about (Score:2, Informative)
Cisco IOS Exploit [idefense.com]
You can also easily create the exploit using hping2.
Re:Here is the exploit the article is talking abou (Score:2)
Cisco tried their hardest to prevent info from getting out to make it easy to create an exploit, but data was leaked. What has this done? It's left hundreds of thousands to millions of routers, with not nearly enough admins to patch, vulnerable to the losers who
Source for shadowcode Exploit (Score:5, Informative)
Heres a link [chiyocon.com] to the source in b64 format, you can extract it with:
openssl base64 -d -in cisco.txt -out cisco.tgz
Happy testing!
I've been reading too much slashdot... (Score:2)
As I first saw this, and figured you'd mis-spelled 10053, because there really SHOULD be an "e" at the end... Then realized that "loose" doesn't fit in the sentence.
Ah well. Stupid me.
-Ben
Wanna check your routers? (Score:3, Interesting)
It's
The fix... (Score:5, Informative)
Interfaces with PIM enabled have not been found to be vulnerable to exploit traffic with protocol
103; PIM traffic may be permitted to those select devices.
access-list 101 deny 53 any any
access-list 101 deny 55 any any
access-list 101 deny 77 any any
access-list 101 deny 103 any any
!--- insert any other previously applied ACL entries here
!--- you must permit other protocols through to allow normal
!--- traffic -- previously defined permit lists will work
!--- or you may use the permit ip any any shown here
access-list 101 permit ip any any
Just how long has Cisco known about this? (Score:2, Interesting)
As I said (Score:2)
" I'm going to say an exploit by tommorow. End of the internet by Sat. All back to normal on Monday"
Rus
Comment removed (Score:4, Funny)
Re:Exploits et al., (Score:2, Funny)
Too late. Now how are we supposed to believe the rest of your story?
Re:Exploits et al., (Score:5, Interesting)
The Cisco situation is not due to bleeding edge issues though. They should have found this problem sooner.
Re:Exploits et al., (Score:2, Interesting)
Re:Exploits et al., (Score:3, Interesting)
Unless you're talking about high quality TIF's B&W vs. Color should not be making a difference in your load times.
Re:Exploits et al., (Score:2, Funny)
Re:Exploits et al., (Score:2)
Re:Exploits et al., (Score:2)
Also, those of us who build for the web have to deal with an incredibly variable environment (OS, browser, connect speed, screen size, language, etc). Some high level abstraction is necessary, unless we want to target just 1 small audience (sadly, many web developers do so).
Idealism is nice, but standing on a soapbox screaming 'Be Patient!' is not really practi
Re:Exploits et al., (Score:2)
You say this as if it were a disadvantage. Do you also consider access ramps near buildings to be eye-sores, and do you routinely park your cark on the spots reserved for the disabled?
Lemme tell you: lot's of people don't use lynx by choice, but because they have a disability (blindness) that prevents them from using other browser. Text-only browsers may be us
Re:Exploits et al., (Score:2)
Most folks do not still want text only pages. I know that this is a raw deal for blind folks and the like. The fact is, most clients are not interested in websites that look like they are from 1996.
I actually try to build 2 years behind, so older browsers can handle my code, and a reasonable amount of time for upgrades is allowed.
I am a _huge_ believer in standards, actually, but dealing with clients (in both business and browser sense) that are not is exceptionally difficult.
Unfort
Re:MODERATORS! (Score:2)
Re:Exploits et al., (Score:2)
Incidently, few websites expect the 'widest number of people possible' to visit. Most have a fairly specific demographic.
Ok, someone call off the Lynx hounds!!!
Re:Exploits et al., (Score:2)
Re:Exploits et al., (Score:2, Insightful)
Re:Exploits et al., (Score:3, Insightful)
Re:Exploits et al., (Score:2)
were these radical improvements implemented on linux 9.0 [slashdot.org]?
Re:Exploits et al., (Score:3, Informative)
In this post, he said:
Writing websites i
Re:Exploits et al., (Score:2)
That, combined with your uncanny ability to cite "The Mythical Man Month" in every single post as well as to consistently get modded down to "0, Troll" or lower makes me wonder if you even know what log(n) means, or if you just have a BS generator on your computer producing these painfully self-promoting posts.
Re:Exploits et al., (Score:2)
No. The webdesigner will create a new page from scratch and toss out the C.
Re:As Mentioned on Slashdot (Score:2)
Of course I am seriously doubting that the Net will be any fun this weekend.
Re:As Mentioned on Slashdot (Score:2)
Then wonder why their probe script doesn't work anymore.
Re:hmm, and suddenly today roadrunner is dog-slow. (Score:2, Informative)
RR in upstate NY has bee dog-ass slow for 2 days straight now... despite the "network status" page being filled with "area down for cable maintenance/upgrades" for 3 days.
Oh look.. it says there's nothing wrong in my area.. bullshit!
Re:Where is the Exploit ? (Score:5, Informative)
Re:The code (Score:3, Interesting)