New Cisco switch flaw could lead to DoS attacks

The vulnerability exists in Cisco's Internetwork Operating System SNMP service

The Department of Homeland Security and US-CERT are warning of a serious vulnerability affecting several Cisco Systems Inc. switches and routers that could result in sustained denial-of-service conditions.

The flaw exists in Cisco's Internetwork Operating System (IOS) SNMP service and could allow remote attackers to cause vulnerable systems to repeatedly reboot when processing specific SNMP requests. If carried out long enough, such attacks could lead to sustained DoS conditions, the US-CERT said in an advisory posted earlier today.

The latest SNMP vulnerability is different from a previous flaw also affecting IOS that was announced by Cisco yesterday. That vulnerability had to do with a flaw in the TCP specification and is not specific to Cisco products (see story).

According to a statement on Cisco's site, the latest SNMP vulnerability affects only certain releases of IOS software. Affected versions include 12.0S, 12.1E, 12.2, 12.2S, 12.3, 12.3B and 12.3T, according to Cisco.

Several factors make the SNMP vulnerability particularly dangerous, said Amit Yoran, director of the National Cyber Security Division of the DHS, in a news conference announcing the flaw this morning.

Among them are the breadth of Cisco products affected by the flaw, the widespread deployment of such products and the fact that it is relatively easy for attackers to take advantage of the vulnerability, Yoran said. The fact that few preconditions need to exist for it to be exploited is another major reason for concern, Yoran said.

"A freshman programmer can attack this vulnerability and crash a router," Yoran said.

"There's very little by way of resources that is needed to mount an attack," said Shawn Hernan, a member of CERT's technical staff. "An ordinary desktop is more than sufficient" to take advantage of the flaw, Hernan said. Even companies that follow security best practices are unlikely to be safe from attacks.

As a result, the best approach is to apply patches Cisco has made available as soon as possible, Hernan said.

Cisco also announced several work-arounds; Recommended fixes include disabling SNMP processing on devices running affected versions of IOS, using access-control lists to block traffic to affected ports and blocking individual ports.

Such work-arounds, though, are complex to implement and may require local expertise, Hernan said.

In many cases they may also require crucial services to be disabled as a result, Yoran said. The work-arounds depend "very much on local considerations. This is not something where standard best practices are going to be affective," he said.

Given the serious nature of the flaw, the US-CERT has been in touch with its counterparts in other countries and has shared technical details with them, Hernan said.

As with the SNMP vulnerability, the TCP flaw allows remote attacks to disrupt mail and router service, leading to potential DoS conditions.

The flaw, disclosed by the U.K.'s National Infrastructure Security Co-ordination Centre, involves a long-known weakness in TCP that could allow malicious hackers to launch so-called router reset attacks. Particularly vulnerable to the TCP flaw are the Internet's Border Gateway Protocol routers, which are used to share traffic routing information on the Internet.

Unlike the TCP flaw, which affects all products using the protocol, the SNMP flaw is specific to Cisco's implementation.

Users that deal with the SNMP flaw via Cisco's updates will also be patched against the TCP flaw, Hernan said. However Cisco routers that aren't affected by the SNMP flaw may still need to be separately patched against the TCP vulnerability.


Copyright © 2004 IDG Communications, Inc.

Download: EMM vendor comparison chart 2019
Shop Tech Products at Amazon