Routers Open to Attack

Major vulnerabilities involving the Cisco IOS and TCP leave network administrators bracing for attacks.

Two major security issues affecting routers hit the Internet community within hours of each other last week, sending administrators and network operators scurrying to get updated software to protect their devices before an expected wave of attacks begins.

The more serious of the two problems is a critical vulnerability in Cisco Systems Inc.s Cisco IOS Software, which runs the companys routers and switches. When trying to process certain types of SNMP requests, the software mishandles the messages and resets the device. As a result, an attacker could cause a DoS (denial-of-service) condition on any vulnerable device.

The vulnerability is easy to exploit, experts say. "A freshman programmer could use this attack to bring down a router," said Shawn Hernan, the senior member of the technical staff at The United States Computer Emergency Readiness Team, in Pittsburgh.

SNMP is used to send messages to remote machines for control and management purposes. Methods exist for mitigating the effects of this flaw for messages using SNMPv1 and SNMPv2c. However, any SNMPv3 message sent to a vulnerable machine will reset the device, according to a bulletin published Tuesday by the US-CERT.

Plan of attack Details of new Internet security flaws Cisco IOS SNMP flaw Can lead to router crashes, DoS Considered easy to exploit TCP attack Can disrupt TCP sessions Affects all TCP devices Can be difficult to perform

The other problem is a new attack for a well-known flaw in the TCP protocol that lets an attacker terminate TCP sessions. The scenario has many security experts worried, given the ubiquity of TCP and that theres an attack tool already circulating on the Internet.

For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog. The problem is that TCP sessions can be reset by sending specially crafted RST (reset) or Syn (synchronize) packets to either machine in a session. Security experts know that such an attack is possible but considered it to be impractical to implement because of the difficulty of guessing the random numbers used to set up TCP sessions. However, Paul Watson, a security researcher in Milwaukee, found that machines receiving TCP packets will accept packets with numbers that are within a certain range of the actual sequence number.

"It takes about 15 seconds for the attack tool to resize the window and guess the number and crash the device," said Chris Rouland, vice president of the X-Force Research team at Internet Security Systems Inc., in Atlanta.

Check out eWEEK.coms Security Center at http://security.eweek.com for security news, views and analysis.
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page: