Re: Cisco Workaround

[James Fields <jvfields () tds net>]

This sounds false on its face.  Cisco actually makes a great deal of
money from providing support (trust me, I know what my company pays for
a blanket contract and it's enough to put several Cisco-kids through
college every year).

There's a pretty good reason why this flaw wasn't found sooner - the
parameters required to exploit the flaw are a combination of things that
are extremely unlikely to occur naturally.  Three of the four protocols
are not something you'd intentionally target at a router.  The fourth
(PIM) is something you would target at a router if you needed it, but my
understanding is with PIM support in the IOS and enabled, the router
isn't affected.  Further, for all four protocols the TTL on the packet
has to be exactly at the point of expiring to get "wedged" in the input
queue.  It is very rare for any packet's TTL to expire exactly at the
place where it is intended to land except during traceroutes - the only
other time it is common for a TTL to expire is where there is a routing
loop somewhere in a network.

What is quite possible is that once in a VERY long while a router might
be affected by something in these protocols, but since it takes a lot of
these special packets to fill the input queue in many cases people may
not know they were being affected at all, or may have opened TAC cases
wondering why their input queues seemed to be stuck at something higher
than 0.  I would bet a (small) sum that up until the flaw was announced
and hackers got busy creating exploits, there were no documented cases
of a router's interface getting hosed this way that were attributable to
this kind of traffic.

How exactly would Cisco "conveniently" find this flaw?  Are you
suggesting that they somehow introduced it?  How could they do that when
it is apparently in every IOS since 1994?  That certainly seems to be
the suggestion given your assertion that it is odd that it wasn't
discovered sooner.

I do not think we are praising them for having such a nasty bug.  I
think the reason Cisco is looking OK is that Cisco's behavior in
revealing it themselves is seen in contrast to so many companies who A)
don't find their own flaws and B) ignore them or deny them when
notified.  If you wanted them to be like everyone else, they could
simply have kept this one to themselves and hoped no one would find it
for a couple more years, counting on most everyone upgrading past the
vulnerability.  Based on how long it went undetected, they could have
tried that.

On Wed, 2003-07-30 at 07:33, Jac wrote:
> As to support, I heard an interesting conspiracy
> theory related to Cisco support and the IOS flaw:
>
> The theory is that Cisco had far to many IOS versions
> that they support in the field and in order to reduce
> support costs they "conveniently" found this flaw with
> the IOS software and used it to propel an upgrade of
> all IOS system. Thus reducing the overall costs of
> support and saving Cisco a large amount of $$$$$.
>
> I have found it strange that such an easy and
> dangerous flaw has not given Cisco a black eye on
> this. Micro$oft constantly is getting beaten for less
> dangerous flaws in their OS and other softwares, but
> Cisco actually has gotten praise for having found and
> published the flaws details [as limited as those
> details were].
>
> What do you think?
>
> Jac
>
>
> "I'm not paranoid, everyone is out to get me."

-- 
James V. Fields


---------------------------------------------------------------------------
----------------------------------------------------------------------------