Arbor Networks: Security to the Core

A couple of days ago a series of three vulnerabilities in Cisco IOS and IOS XR were disclosed. The most severe of these may allow for remote code execution on the affected device, a possibility made less theoretical after Blackhat 2005. The three issues are:

• Cisco Security Advisory: Crafted IP Option Vulnerability, the most serious of the three. Read his Cisco Applied Intelligence Response to learn more about using interface ACLs to protect your equipment.
• Cisco Security Advisory: Crafted TCP Packet Can Cause Denial of Service, a very ambiguous advisory.
• Cisco Security Advisory: IPv6 Routing Header Vulnerability, a little less ambiguous.

If you run a network, review these and start updating your devices or, if you run an old and unsupported train, disable features or block traffic against those interfaces. Luckily traffic transiting the device wont affect it.While various people are upset with Cisco for not disclosing vulnerability details, imagine the tightrope you have to walk disclosing how to defend against such an attack or detect it (ie with an IDS signature) when you represent a company with as critical an infrastructure role as Cisco’s. Tempers don’t appear to be too inflamed, however, and people seem to understand this predicament. As for “this always seems to happen to Cisco …”, someone close to the situation said (and I’m paraphrasing), “This happens to every vendor, and this just happens to be our week for this kind of thing.” Ain’t that the truth for any high profile vendor.

We haven’t seen real-world attacks against these vulnerabilities yet, and that’s not surprising. There’s some time needed to investigate it on your own when you develop an exploit tool with this ambiguous an advisory, and then there’s the issue of testing it. And, when you launch it, do you fire it willy nilly? Or do you target it more generally? Seems like the latter is preferable to me, but some people will bite the hand that feeds them and try to be “that guy” who “crashed the Internet.”

If the Internet melts down, we’ll surely tell you about it, even if it means we have to go door to door because our emails can’t get through. I know that people in ISP operations groups are sweating this, and they’re doing their best to keep the network humming along. After all, they’re Internet junkies, too.

This entry was posted on Friday, January 26th, 2007 at 2:48 pm and is filed under Critical Infrastructure, Vulnerabilities. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.