Security Basics mailing list archives
Re: Cisco Workaround
From: James Fields <jvfields () tds net>
Date: 30 Jul 2003 13:31:24 -0400
This sounds false on its face. Cisco actually makes a great deal of money from providing support (trust me, I know what my company pays for a blanket contract and it's enough to put several Cisco-kids through college every year). There's a pretty good reason why this flaw wasn't found sooner - the parameters required to exploit the flaw are a combination of things that are extremely unlikely to occur naturally. Three of the four protocols are not something you'd intentionally target at a router. The fourth (PIM) is something you would target at a router if you needed it, but my understanding is with PIM support in the IOS and enabled, the router isn't affected. Further, for all four protocols the TTL on the packet has to be exactly at the point of expiring to get "wedged" in the input queue. It is very rare for any packet's TTL to expire exactly at the place where it is intended to land except during traceroutes - the only other time it is common for a TTL to expire is where there is a routing loop somewhere in a network. What is quite possible is that once in a VERY long while a router might be affected by something in these protocols, but since it takes a lot of these special packets to fill the input queue in many cases people may not know they were being affected at all, or may have opened TAC cases wondering why their input queues seemed to be stuck at something higher than 0. I would bet a (small) sum that up until the flaw was announced and hackers got busy creating exploits, there were no documented cases of a router's interface getting hosed this way that were attributable to this kind of traffic. How exactly would Cisco "conveniently" find this flaw? Are you suggesting that they somehow introduced it? How could they do that when it is apparently in every IOS since 1994? That certainly seems to be the suggestion given your assertion that it is odd that it wasn't discovered sooner. I do not think we are praising them for having such a nasty bug. I think the reason Cisco is looking OK is that Cisco's behavior in revealing it themselves is seen in contrast to so many companies who A) don't find their own flaws and B) ignore them or deny them when notified. If you wanted them to be like everyone else, they could simply have kept this one to themselves and hoped no one would find it for a couple more years, counting on most everyone upgrading past the vulnerability. Based on how long it went undetected, they could have tried that. On Wed, 2003-07-30 at 07:33, Jac wrote:
As to support, I heard an interesting conspiracy theory related to Cisco support and the IOS flaw: The theory is that Cisco had far to many IOS versions that they support in the field and in order to reduce support costs they "conveniently" found this flaw with the IOS software and used it to propel an upgrade of all IOS system. Thus reducing the overall costs of support and saving Cisco a large amount of $$$$$. I have found it strange that such an easy and dangerous flaw has not given Cisco a black eye on this. Micro$oft constantly is getting beaten for less dangerous flaws in their OS and other softwares, but Cisco actually has gotten praise for having found and published the flaws details [as limited as those details were]. What do you think? Jac "I'm not paranoid, everyone is out to get me."
-- James V. Fields --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- RE: Cisco Workaround, (continued)
- RE: Cisco Workaround Jofre, Sebastian (Jul 24)
- RE: Cisco Workaround Tim Donahue (Jul 28)
- RE: Cisco Workaround Ghaith Nasrawi (Jul 28)
- RE: Cisco Workaround Noonan, Wesley (Jul 28)
- RE: Cisco Workaround Martin, Olivier (Jul 28)
- Re: Cisco Workaround joshua sahala (Jul 28)
- RE: Cisco Workaround Ghaith Nasrawi (Jul 29)
- Re: Cisco Workaround stephane nasdrovisky (Jul 29)
- Re: Cisco Workaround Jac (Jul 30)
- RE: Cisco Workaround Todd Mitchell - lists (Jul 30)
- Re: Cisco Workaround James Fields (Jul 30)
- Re: Cisco Workaround Jac (Jul 31)
- RE: Cisco Workaround Adam Overlin (Jul 31)
- RE: Cisco Workaround Paul Benedek (Jul 31)
- Re: Cisco Workaround stephane nasdrovisky (Jul 29)