Code to exploit Cisco flaw may pose risk

[InfoSec News <isn () c4i org>]

http://news.com.com/2100-1002_3-1027326.html

By Robert Lemos 
Staff Writer, CNET News.com
July 18, 2003

Security experts warned Friday that code which could be used to attack
and crash Cisco Systems routers has been posted to public mailing
lists.

The code, posted to the Full-Disclosure security mailing list early
Friday morning, could be used to disable the Cisco routing hardware
that connects many networks to the Internet. Two security
companies--Symantec and Internet Security Systems--upgraded their
estimation of the level of threat posed to companies connected to the
Internet.

"The worry is that someone automates this (attack) and uses it for
mass denial of service against people who haven't upgraded their
routers," said Al Huger, senior director of engineering for Symantec's
security response team. "I don't tend to be alarmist, but I think this
one is a pretty legitimate concern."

Symantec on Friday raised its measure of the threat to 3 from 2. The
five-point scale has been raised to 3 only a handful of times in the
last two years, Huger said. The Slammer worm, Code Red worm and
Bugbear.B virus incidents each were rated 3.

Symantec's intrusion detection systems have detected light attack
activity as a result of the vulnerability. "We aren't (yet) seeing
numbers that are really cause for concern," Huger said.

Cisco updated an advisory to warn customers of the public release of
the flaw but disputed reports that online vandals were exploiting it.  
"We have no confirmation of any networks being impacted, and we have
no reports of any successful network attacks," said Jim Brady, a
spokesman for the company.

Nonetheless, this particular flaw has security experts spooked because
Cisco routers make up a large portion of the Internet infrastructure.  
The routers account for more than 80 percent of the hardware in
corporate networks and more than 90 percent of the hardware that makes
up the Internet, said Rachna Ahlawat, senior analyst for market
researcher Gartner.

"Any hardware that is so widely deployed that is under attack can
cause major network disruption," she said. Ahlawat believes that
because Cisco found the problem through internal testing and managed
to give Internet service providers advanced notice of the issue, there
is a good chance that the worst danger is past.

However, security companies don't seem so sure. While ISPs have been
rushing to fix Cisco routers, it's unknown how quickly corporations
and online retailers have worked to fix their networks.

Internet Security Systems raised its measure of the danger on the
Internet to 3 as well. Both Internet Security Systems and Symantec had
raised the level to 2 the day before, when the Cisco router
vulnerability and a major flaw in Microsoft Windows became public.

"It seems right now that people are testing the exploit code," said
Dan Ingevaldson, engineering director for Internet Security Systems'
vulnerability research team. "We haven't seen any kind of organized
attack, any major attack, or any kind of outage."

The Cisco flaw, as first reported by CNET News.com, could allow an
attacker to stop traffic from flowing through vulnerable network
hardware. After being advised of the flaw on Tuesday by Cisco, ISPs
scrambled Wednesday and Thursday to plug the hole in their network
hardware.

Windows warning

That flaw came just after another widespread vulnerability--this one
in Windows. Microsoft released its advisory Wednesday, warning that
every computer running any version of Microsoft Windows, except for
Windows ME, had a security hole that could allow an attacker to take
control of the computer.

The Windows flaw is in a service that normally wouldn't be available
over the Internet if the system's owner followed strong security
guidelines. However, many companies and home users may inadvertently
have systems that are connected directly to the Internet and aren't
protected by a firewall, security researchers warned.

While a program designed to attack Cisco systems has been published,
Ingevaldson hasn't seen any such exploit for the Microsoft flaw.

"We haven't seen any public exploits, but we were able to develop one
internally," he said. "And we assume that if we can do it, so can
anyone else."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.