Exploit, attacks reported for Cisco IOS vulnerability

IDG News Service - Security experts are warning that ready-made code that exploits a recently announced Cisco Systems Inc. Internetworking Operating System (IOS) vulnerability is circulating and that attacks using the exploit are taking place.
On July 16, Cisco warned of a widespread and serious flaw in IOS that could make devices using the operating system vulnerable to a denial-of-service attack (see story).
The flaw affects a wide range of Cisco devices that run IOS and accept data packets using Internet Protocol Version 4 (IPv4), including Cisco's popular Catalyst family of switches, 7300 series routers and Aironet family of wireless access points.
The exploit was posted to prominent security discussion lists by an unknown individual using the name "Marion Barry," which could be a reference to the former mayor of Washington, and an e-mail address at the free Hotmail e-mail service.
Security provider Internet Security Systems Inc. (ISS) said that it had tested the code contained in that message and that it works, according to Dan Ingevaldson, engineering director for ISS X-Force. The code contains a small program written in the C programming language that makes it easy to quickly develop an exploit using the IOS vulnerability.
"It's probably 200 lines. All it does is give you instructions on how to create an exploit. You just point at a target, and it will fire an attack," he said.
Atlanta-based ISS received reports today of the code being copied widely on the Internet and used in attacks on Internet service providers and major Internet backbone providers. ISS didn't know where the exploit came from, but was surprised by the speed with which it appeared, according to Ingevaldson.
"All I know is that there was an update on the Cisco bulletin, and a few hours later, there was an exploit," he said, referring to Cisco's modification of its earlier security bulletin regarding the IOS vulnerability.
That update bulletin gave more specific information than was first released on what protocols could be used with IPv4 data packets to trigger the IOS vulnerability and create a denial-of-service attack on vulnerable Cisco devices. "Maybe it was not as hard as people thought," Ingevaldson said.
The quick appearance of an exploit follows similar releases for vulnerabilities affecting the Apache Web server, and Microsoft Corp.'s WebDAV HTTP extensions. "It kind of unseats the common adage that there's a 30-day window after an exploit is developed," Ingevaldson said.
Customers are advised to patch affected Cisco systems at the earliest convenience and also apply work-arounds such as access control lists (ACL) to block attack traffic, in keeping with guidelines released by Cisco.
Ingevaldson noted that even patched routers will pass attack traffic on to other devices, allowing such traffic to circulate until a vulnerable Cisco device is found, making the use of ACLs more important.

Reprinted with permission from

IDG.net
Story copyright 2009 International Data Group. All rights reserved.