Cisco Flaw Raises Concerns, but Attacks Deemed Difficult

Computerworld - The public demonstration of an attack against a Cisco Systems Inc. router at last month's Black Hat USA conference showed that a core part of corporate networks may be more vulnerable to hackers than many users had assumed.

But, IT managers and security analysts said last week, companies that follow recommended practices for securing their networks should be reasonably well protected despite the fact that attackers now have information on how to shut down routers by exploiting a previously disclosed software flaw.

"In the end, the Cisco case is no different than [a hack against] a Microsoft or Unix box," said Andreas Wuchner-Bruhl, head of global IT security at Novartis Pharma AG, a Basel, Switzerland-based drug maker. "Vulnerabilities will always exist. Organizations have to prepare themselves to be able to protect themselves."

Security researcher Michael Lynn triggered the concerns two weeks ago when he made a presentation about the router flaw at the Black Hat conference in Las Vegas. Cisco and Atlanta-based Internet Security Systems Inc., Lynn's former employer, had tried to stop him from giving his scheduled talk .

Cisco attempted to prevent the information from spreading by securing a court injunction against Lynn and getting Black Hat's organizers to remove his presentation from the conference proceedings. But several security-oriented Web sites posted copies of the presentation, prompting Cisco to issue an advisory on July 29 in which it urged users to upgrade to the latest version of its Internetworking Operating System software.

According to the Cisco advisory, products running certain versions of IOS are vulnerable to attacks that use specially written IP Version 6 packets. Only devices that have been explicitly configured to process IPv6 traffic are affected by the flaw, Cisco said.

The information Lynn disclosed shows how malicious hackers can compromise routers to "stop, redirect and scramble network traffic," said Gene Hodges, president of IT security vendor McAfee Inc. in Santa Clara, Calif.

"Up to now, the [security] community, I believe, has somewhat naively assumed that this wasn't possible," Hodges added, citing the complexity of attacking routers.

Potential Reuse
Although the updated IOS version isn't vulnerable to the hack detailed by Lynn, any newly discovered buffer or heap overflow vulnerability in the software could be exploited using the same process, warned Jian Zhen, director of product management at LogLogic Inc., a Sunnyvale, Calif.-based vendor of tools for managing network data logs.
"That's the most scary part of this whole incident," Zhen said. "The vulnerability is difficult to exploit due to the technical competency required. But all it takes is someone to write the necessary shell code, and 'script kiddies' will be able to use that for new vulnerabilities discovered in the future."