nanog mailing list archives

Re: IOS Rookit: the sky isn't falling (yet)


From: Adrian Chadd <adrian () creative net au>
Date: Wed, 28 May 2008 01:13:20 +0800

On Tue, May 27, 2008, Valdis.Kletnieks () vt edu wrote:

There's basically 2 classes of Cisco routers out there:

1) Ones managed by Jared and similarly clued people, who can quite rightfully
yawn because the specter of "IOS rootkits" changes nothing in their actual
threat model - they put stuff in place 3 years ago to mitigate "Lynn-style IOS
pwnage", and it will stop this just as well.  Move along, nothing to see.

2) Ones managed by unclued people.  And quite frankly, if Lynn didn't wake
them up 3 years ago, this isn't going to wake them up either.  Move along,
nothing new to see here either.

"60% of routers run by bozos who shouldn't have enable. Film at 11".

Bloody network people, always assuming their network security stops at
their router.

So nowthat someone's done the hard lifting to backdoor an IOS binary,
and I'm assuming you all either upgrade by downloading from the cisco.com
website or maintain a set of your own images somewhere, all one needs
to do is insert themselves into -that- path and you're screwed.

Hijacking prefixes isn't hard. That was presented at the same security
conference.

Cracking a UNIX/Windows management/FTP/TFTP host isn't impossible - how
many large networks have their server infrastructure run by different
people to their network infrastructure? Lots and lots? :)

Sure, its not all fire and brimstone, but the bar -was- dropped a little,
and somehow you need to make sure that the IOS thats sitting on your
network management site is indeed the IOS that you put there in the
first place..




Adrian




Current thread: