North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Cisco IOS Exploit Cover Up

  • From: Guru (Gurumurthy) Yeleswarapu
  • Date: Fri Jul 29 17:29:34 2005

I just happened to see this :

Last month, a company called Internet Security Systems (ISS) issued an alert
to warn users that Cisco's VoIP offering had a security flaw that would allow
just that. According to the company, this implementation flaw in Cisco's Call
Manager, which handles call signaling and routing, could allow a buffer
overflow that would grant an intruder access to the system to listen in on
all calls routed through it.

This is one scenario described by ISS and other vendors focused on selling
technology to plug the security holes in VoIP, a method for sending voice
traffic over IP that many say was not designed with security in mind. ISS and
its competitors, which come to this new field largely from the VoIP
management and IP security markets, forecast big risks for companies that
don't take VoIP security seriously, and undoubtedly look forward to
formidable revenue streams generated by those that do.  

Guru

-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf Of Janet
Sullivan
Sent: Friday, July 29, 2005 12:44 PM
To: [email protected]; [email protected]
Subject: Re: Cisco IOS Exploit Cover Up


Scott Morris wrote:
> And quite honestly, we can probably be pretty safe in assuming they 
> will not be running IPv6 (current exploit) or SNMP (older exploits) or 
> BGP (other
> exploits) or SSH (even other exploits) on that box.  :)  (the 1601 or 
> the
> 2500's)

If a worm writer wanted to cause chaos, they wouldn't target 2500s, but
7200s, 7600s, GSRs, etc.

The way I see it, all that's needed is two major exploits, one known by
Cisco, one not.

Exploit #1 will be made public.  Cisco will released fixed code.  Good
service providers will upgrade.

The upgraded code version will be the one targeted by the second, unknown,
exploit.

A two-part worm can infect Windows boxen via any common method, and then 
use them to try the exploit against routers.   A windows box can find 
routers to attack easily enough by doing traceroutes to various sites. 
Then, the windows boxen can try a limited set of exploit variants on each
router.  Not all routers will be affected, but some will.

As for what the worm could do - well, it could report home to the worm
creators that "Hey, you 0wn X number of routers", or it could do something
fun like erasing configs and locking out console ports. ;-)

Honestly, I've been expecting something like that to happen for years now.
<shrug>