Cisco Vulnerability in Check

Flaw affects devices running vendor's IOS.

Despite fears that a flaw in the software that controls most of the routers and switches in the Internet would lead to widespread attacks and network outages, security monitoring companies said they have seen little indication of that happening.

The vulnerability, which affects nearly all routers and devices running Cisco Systems Inc.s IOS (Internetwork Operating System) software, was disclosed July 16, and a working exploit for the flaw hit the Internet two days later. Security experts and network operators worried that the ubiquity of Ciscos devices on the Internet and the easy availability of exploit code would lead to mass attacks on vulnerable routers.

But none of that has come to pass yet.

Timeline for Cisco flaw disclosure

July 16

  • Cisco begins informing large customers of the flaw
  • Ciscos official bulletin is released

July 18

  • Working exploit for the flaw is posted online
  • Attack activity begins but never reaches level experts feared
"Its been generally pretty quiet. The ISPs had pulled together and gotten their patches and access control lists done," said Charles Kaplan, senior director of research and managed security services and information security officer at Guardent Inc., a managed security services provider based in Waltham, Mass. "Weve been getting a lot of calls from clients asking for advice, but no one has been screaming. It really looks like the ISPs did their jobs."

Officials at Internet Security Systems Inc., in Atlanta, reported seeing some attack activity soon after the exploit was released. But the activity didnt reach the levels some experts had predicted.

The vulnerability arises from IOS failure to correctly handle some types of IPv4 packets sent to the device. When a set number of any of the types of packets hits the router, IOS mistakenly flags the input queue on the network interface as being full. After a period of time, the device stops processing traffic.

Ciscos official advisory on the subject said the packets needed to be sent in a certain sequence. However, testing done by an independent consultant showed this to be incorrect. In fact, attack packets in any one of the four affected protocols can be used to hang a vulnerable router, according to research done by Jeffrey Sicuranza, principal consultant at Applied Methodologies Inc., a research lab based in Wantagh, N.Y. Cisco officials eventually amended their advisory to reflect Sicuranzas findings. The company also went so far as to list exactly which protocols could be used to send the offending packets to vulnerable routers, further raising fears that widespread attacks were imminent.

The device can be forced to stop routing any traffic on any interface and requires a complete restart to resume normal operation.

The big ISPs and network operators were among the first to know of the vulnerability. Cisco, based in San Jose, Calif., quietly told the major Internet players July 16, urging them to perform emergency upgrades on their devices. In the next 24 hours, Cisco issued an advisory warning the public of the vulnerability, and many security vendors and research organizations followed suit.

Since then, network operators and IT staffs have been holding their breath, waiting to see if crackers attacked the new flaw. So far, the mad scramble to install patches seems to have worked.

"It was a little scary when we were hearing rumors about the vulnerability, but Cisco hadnt disclosed it yet," Guardents Kaplan said. "But Cisco really stepped up and took care of it."