[82829] in North American Network Operators' Group
Re: Cisco IOS Exploit Cover Up
daemon@ATHENA.MIT.EDU (Janet Sullivan)
Fri Jul 29 15:45:19 2005
Date: Fri, 29 Jul 2005 12:44:28 -0700
From: Janet Sullivan <ciscogeek@bgp4.net>
To: swm@emanon.com, nanog@merit.edu
In-Reply-To: <19190571835288@mail.emanon.com>
Errors-To: owner-nanog@merit.edu
Scott Morris wrote:
> And quite honestly, we can probably be pretty safe in assuming they will not
> be running IPv6 (current exploit) or SNMP (older exploits) or BGP (other
> exploits) or SSH (even other exploits) on that box. :) (the 1601 or the
> 2500's)
If a worm writer wanted to cause chaos, they wouldn't target 2500s, but
7200s, 7600s, GSRs, etc.
The way I see it, all that's needed is two major exploits, one known by
Cisco, one not.
Exploit #1 will be made public. Cisco will released fixed code. Good
service providers will upgrade.
The upgraded code version will be the one targeted by the second,
unknown, exploit.
A two-part worm can infect Windows boxen via any common method, and then
use them to try the exploit against routers. A windows box can find
routers to attack easily enough by doing traceroutes to various sites.
Then, the windows boxen can try a limited set of exploit variants on
each router. Not all routers will be affected, but some will.
As for what the worm could do - well, it could report home to the worm
creators that "Hey, you 0wn X number of routers", or it could do
something fun like erasing configs and locking out console ports. ;-)
Honestly, I've been expecting something like that to happen for years
now. <shrug>
