[82837] in North American Network Operators' Group
RE: Cisco IOS Exploit Cover Up
daemon@ATHENA.MIT.EDU (Guru (Gurumurthy) Yeleswarapu)
Fri Jul 29 17:28:48 2005
Date: Fri, 29 Jul 2005 14:28:11 -0700
From: "Guru (Gurumurthy) Yeleswarapu" <guruy@broadcom.com>
To: nanog@merit.edu
Errors-To: owner-nanog@merit.edu
I just happened to see this :
Last month, a company called Internet Security Systems (ISS) issued an =
alert
to warn users that Cisco's VoIP offering had a security flaw that would =
allow
just that. According to the company, this implementation flaw in Cisco's =
Call
Manager, which handles call signaling and routing, could allow a buffer
overflow that would grant an intruder access to the system to listen in =
on
all calls routed through it.
This is one scenario described by ISS and other vendors focused on =
selling
technology to plug the security holes in VoIP, a method for sending =
voice
traffic over IP that many say was not designed with security in mind. =
ISS and
its competitors, which come to this new field largely from the VoIP
management and IP security markets, forecast big risks for companies =
that
don't take VoIP security seriously, and undoubtedly look forward to
formidable revenue streams generated by those that do. =20
Guru
-----Original Message-----
From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of =
Janet
Sullivan
Sent: Friday, July 29, 2005 12:44 PM
To: swm@emanon.com; nanog@merit.edu
Subject: Re: Cisco IOS Exploit Cover Up
Scott Morris wrote:
> And quite honestly, we can probably be pretty safe in assuming they=20
> will not be running IPv6 (current exploit) or SNMP (older exploits) or =
> BGP (other
> exploits) or SSH (even other exploits) on that box. :) (the 1601 or=20
> the
> 2500's)
If a worm writer wanted to cause chaos, they wouldn't target 2500s, but
7200s, 7600s, GSRs, etc.
The way I see it, all that's needed is two major exploits, one known by
Cisco, one not.
Exploit #1 will be made public. Cisco will released fixed code. Good
service providers will upgrade.
The upgraded code version will be the one targeted by the second, =
unknown,
exploit.
A two-part worm can infect Windows boxen via any common method, and then =
use them to try the exploit against routers. A windows box can find=20
routers to attack easily enough by doing traceroutes to various sites.=20
Then, the windows boxen can try a limited set of exploit variants on =
each
router. Not all routers will be affected, but some will.
As for what the worm could do - well, it could report home to the worm
creators that "Hey, you 0wn X number of routers", or it could do =
something
fun like erasing configs and locking out console ports. ;-)
Honestly, I've been expecting something like that to happen for years =
now.
<shrug>
