Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
Security Hardware

Cisco Announces Holes In PIX Firewall 23

Posted by simoniker from the net-also-full-of-holes dept.
iiioxx writes "Cisco Systems announced on December 15, 2003 that new security holes have been found in the PIX firewall IOS. The vulnerabilities are in SNMP and VPNC functionality, and both allow for DOS attacks against an affected firewall. Vulnerable IOS versions are 6.3.1, 6.2.2 and earlier, 6.1.4 and earlier. 5.x.x and earlier. There are a couple of workarounds for the SNMP vulnerability, but the only way to correct the VPNC problem is to upgrade the IOS."
This discussion has been archived. No new comments can be posted.

Cisco Announces Holes In PIX Firewall More

Cisco Announces Holes In PIX Firewall

Comments Filter:
  • Just in time for winter break, when some crackers have loads of free time.

    Um, Merry Christmas you poor netadmins...

  • Wormhole (Score:2, Funny)

    by Alphanos ( 596595 )
    Joke of the day: Commander Sisko has discovered the wormhole:)!

  • Umm... its not IOS (Score:5, Insightful)

    by LWolenczak ( 10527 ) <julia@evilcow.org> on Wednesday December 17, 2003 @09:47PM (#7750501) Homepage Journal
    IOS is what is run on routers. IOS == Internetwork Operating System. PIX OS is completely different. Infact, Cisco has been spending lots of time trying to make PIX OS to look like IOS.

    • Re:Umm... its not IOS (Score:3, Informative)

      by iiioxx ( 610652 )
      IOS is what is run on routers. IOS == Internetwork Operating System. PIX OS is completely different. Infact, Cisco has been spending lots of time trying to make PIX OS to look like IOS.

      All pedantry aside, among those in the business, "IOS" is usually considered a generic term, meaning "the software that runs on a piece of Cisco hardware". Rarely, if ever, do I hear the specific terms "PIX OS" or "CatOS" bandied about. The only other common usage is simply "software." As in, "what software is on that
      • But... Pixes are GREEN.... and a PERTY GREEN at that!
      • So you would say that the Cisco 677 also runs IOS? ;-)

      • Re:Umm... its not IOS (Score:3, Informative)

        by Maradine ( 194191 ) *
        I'm curious what side of the business you're on. I've never heard a CCIE refer to a Cisco OS as anything other than its name.

        I think what makes things confusing for some people is the fact that many of the hardware types, especially Cats, can run multiple OSs. Hell, in the 6500 series, you can have the chassis running CatOS, its Sups running two different IOSs, and an SVC-FWM-1 in a blade bay running PIXOS (which, for the record, is named 'Finesse'). That's why things get lumped.

        The boys in my local Ci

        • Re:Umm... its not IOS (Score:5, Interesting)

          by iiioxx ( 610652 ) <iiioxx@gmail.com> on Thursday December 18, 2003 @10:23AM (#7754188)
          I'm curious what side of the business you're on. I've never heard a CCIE refer to a Cisco OS as anything other than its name.

          I spent about 5 years working for a Cisco VAR, which means I spent a great deal of time talking to Cisco SE's and of course, TAC engineers. I've heard more than a couple of CCIE's refer to IOS in a generic context.

          Now, I'm a sys/netadmin for a company with around 130 location across the US (and a boatload of Cisco gear). I and my cohorts likewise throw the term "IOS" around quite liberally.

          Hell, in the 6500 series, you can have the chassis running CatOS, its Sups running two different IOSs...

          Actually, the "chassis" doesn't run anything, and the Sups run CatOS (just do a 'show module' on your Cat to see for yourself). But I think you are making the point of a Sup running CatOS and the MSFC running IOS, thus having multiple OS's in one box/blade.

          In that situation though, they are more conjoined twins than a singular entity. In fact, in our hardware naming system, the MSFC has a totally different designator than the Supervisor or chassis. So I wouldn't say "upgrade the IOS on that Cat". I'd say, "upgrade the IOS on XX03RM02" or "upgrade the IOS on XX03SW01". The designator makes it clear as to which software I am referring. XX03 is a site code, SW is a switch or Sup (thus CatOS) and RM is a router module or MSFC (thus IOS). Our hardware management database keeps track of the fact that XX03RM02 is conjoined with XX03SW01 and they are in the chassis with asset tag XYZ123.

          The boys in my local Cisco office are all nomenclature geeks, so that might explain why everyone in this region is anal about names.

          That would explain it.
          • Eh, we're reasonably specific about these things. IOS is used as a general term, but when you're talking about a specific device you usually use the more specific term. I mean, no one says "We have to upgrade the IOS on the pixes," although they might say "We have to upgrade the IOS on everything in the data center."

            You'd get a funny look if you said you upgraded something to IOS 6.3.3, wouldn't you?

            • You'd get a funny look if you said you upgraded something to IOS 6.3.3, wouldn't you?

              Maybe. Depends on the context. If someone told me they upgraded a PIX to IOS 6.3, I wouldn't think anything of it. Likewise, if they told me they upgraded a Catalyst to IOS 5.5. I would know what they meant. If they said they upgraded their Catalyst to IOS 12.2, I would also know what they meant. I'm pretty sure that's why Cisco uses the numbering scheme they use.
          • Point taken on the Sups. Forgot about the MSFC.

          • Well I am a CCIE and I would never refer to a Cisco OS generically as "IOS"... It is incorrect to do so and implies something that may not be true.

            For example, the 6500 series can run CatOS on the supervisor by itself, CatOS on the Sup & IOS on the MSFC in "hybrid" mode, or "native" IOS running on both. If you simply referred to it as "IOS" no one would have any idea what you are talking about.

            If nothing else, the highly crippled PIX OS does not deserve to be called "IOS". Cisco should port IOS (a

            • Internally IOS (yes, the IOS that runs on the routers) is ported to x86 (and SPARC). Thats what they do development & testing on.

              The real issue would probably be porting over all the drivers (and the stuff in LES/HES).

              I don't know much of anything about PIX OS though. Didn't they acquire that from somewhere or is it home grown?

    • The PIX actually runs an OS called Finesse (no not the shampoo). PIX was actually a security company that Cisco aquired a while ago which made firewalls.

  • Hey... (Score:3, Insightful)

    by jazman_777 ( 44742 ) on Thursday December 18, 2003 @12:55AM (#7751664) Homepage
    When they say "holes in the firewall" it sounds like functionality. How about "defects" or "bugs"? Really, most firewalls have holes.

Slashdot Top Deals

There must be more to life than having everything. -- Maurice Sendak

Close