Cisco Exploit Hits the Net

Less than a day after Cisco disclosed a serious vulnerability, experts warn that crackers are already using an exploit to breach routers and switches across the Web.

Less than a day after Cisco Systems Inc. disclosed the existence of a serious vulnerability in its routers and switches, someone posted a working exploit for the issue to a security mailing list.

Using the pseudonym "Marion Barry," the poster published his exploit to the Full Disclosure list early Friday morning. Sources have confirmed to eWEEK that the compiled code does in fact effectively kill a vulnerable device. The exploit has the effect of filling the devices receive buffer and preventing it from processing any further packets.

Officials at Internet Security Systems Inc. said they have seen indications that crackers are actively using the exploit already. The CERT Coordination Center has also issued an updated advisory warning that the exploit is in the wild.

"We believe it is likely that intruders will begin using this or other exploits to cause service outages," CERT said in its bulletin.

Dan Ingevaldson, engineering manager of the X-Force research team at ISS in Atlanta, said he has heard reports of some networks seeing as many as 20,000 packets an hour thrown against their routers. How much of that is due to attacks is impossible to know.

"Were very concerned. When you consider how big Cisco is and how important they are to the Internet, there are millions of devices out there," Ingevaldson said. "Its only been a day since the bulletin went out and already theres a robust exploit out there."

The vulnerability affects every Cisco router and switch running versions 11 or 12.x up through 12.3 of the Internetworking Operating System (IOS). When an attacker sends a specific series of Ipv4 packets to an affected device, the device handles the packets incorrectly and refuses to perform any further routing operations. The attack doesnt trigger any alerts and the device must be manually rebooted in order to resume normal operations.

Routers and switches that are in environments that run only IPv6 traffic are not vulnerable.

Cisco, based in Mountain View, Calif., has released a patch for the vulnerability and is aware that the exploit has been published.

"Since the initial posting of this document, the Cisco [Product Security Incident Response Team] has been made aware of public announcements of the vulnerabilities described in this advisory. Cisco PSIRT is aware that the exploit for this vulnerability has been published on a public mailing list," the company said in an updated version of its bulletin on the issue.

The disclosure of this vulnerability has caused a great deal of concern in the security community. Ciscos routers and switches handle a huge amount of the traffic that crosses the Internet and private networks on a daily basis, which means the potential ramifications from a widespread attack on this flaw could be devestating.

Several network operators said they were forced to take their routers down in the middle of the working day Thursday to repair the vulnerability, something that is almost never done.