Skip the navigation

Advice: What to do before an IOS disaster strikes

Security expert Jian Zhen explains how to fend off a Cisco router exploit

By Jian Zhen
August 1, 2005 12:00 PM ET

Computerworld - Last week, former Internet Security Systems researcher Michael Lynn presented at the Black Hat USA 2005 conference a reliable process that could be used to exploit Cisco routers running the Internetworking Operating System (IOS.)
Even though the exact exploit demonstrated during his presentation was not disclosed, Lynn showed enough details to prove that the exploit is real and that previous misconceptions that routers and switches are not exploitable are false (see ISS researcher quits job to detail Cisco flaws).
Within days, there were more than a half dozen sites mirroring a copy of Lynn's presentation detailing the IOS exploit process (see Cisco vulnerability posted to Internet). In addition, all major networking mailing lists, such as NANOG, and many blog sites, such as Schneier on Security by security expert Bruce Schneier, were hot with discussions over such topics as responsible and ethical disclosures, possibly exploits and dooms day speculations. A legal defense fund for Lynn has also been created to assist him with the legal battles.
It's important to recognize that amid all the noise and arguments over the recent events, the specific vulnerability discussed in the presentation was not new. The flaw was patched by Cisco in April. All vulnerable versions of the IOS have been removed from the Cisco's Web site. Cisco also allows upgrades even for non-contract customers as long as the call comes through their technical assistance center.
However, it is likely most of the routers on the Internet have not yet upgraded to the latest patched IOS images. In addition, although the new IOS images are no longer vulnerable to the presented exploit, any newly discovered buffer or heap overflow vulnerabilities on the IOS can still be exploited using this same process. Knowing that Cisco's IOS software has been stolen and has been known to be in the wild, it is reasonable to assume that new vulnerabilities will be found and that worms exploiting the new vulnerabilities will probably appear short after. Given the widespread use of Cisco's routers, any vulnerability and/or exploit running wild will cause a huge disaster to the Internet as a whole.
One thing that I have not seen discussed in the many forums is what network administrators should do to remediate the risks of the "Digital Pearl Harbor," as described by Lynn. Cisco, ISS and many network professionals have suggested that the administrators upgrade all the Cisco routers to the latest IOS image.
Although a valid suggestion, upgrading routers is not a simple task. In addition to network disruptions, the latest IOS images may introduce new bugs,



Our Commenting Policies