Vendor: Cisco IOS Server Backdoor May Have Been Planted

Two vulnerabilities must align to enable a remote attacker to hijack the server. Is it just a coincidence they were both there at the same time?

A security vendor is questioning whether the IOS FTP Server vulnerabilities Cisco reported on May 9 may constitute an intentionally planted backdoor, as opposed to a series of programming errors that inadvertently led to a backdoor.

Chris Eng, director of security services at Veracode, is suggesting that possibility given that a remote attacker would need one of the flaws—improper authorization checking in IOS FTP—in order to exploit the second flaw—an IOS reload when transferring files via FTP.

In essence, an attacker can bypass authentication and avoid giving credentials because of the first flaw. The attacker then has to overwrite the critical startup configuration file, then has to cause the router itself to reboot in order to execute the rewritten configuration file.

/zimages/4/28571.gifClick here to read more about a Trojan piggybacking on Windows Updater.

"Is it a coincidence that both flaws happen to be there at same time?" Eng asked in an interview with eWEEK. "Multiple things have to fall into place to really exercise the full extent of the attack. That seems a little bit odd. It kind of has the trademarks of what youd expect from [an intentionally planted] backdoor."

Together, the flaws open the door for an attacker to retrieve or write any file from the device file system—including the devices saved configuration. "That configuration file may include passwords or other sensitive information," Cisco said in its advisory.

The origin of the flaws boils down to a question of intent, Eng said. Cisco essentially said in its advisory that the flaws can be used as a backdoor. That could mean that an attacker could exploit the vulnerabilities to gain access to a router.

The backdoor allows a remote attacker to log onto the FTP service on the router without credentials, get onto the router itself and read or write any file on the routers file system. The startup configuration is what the router reads when it reboots, to seed its initial configuration. If an attacker can control that by overwriting, he or she essentially has control of the entire router.

The attacker could take the router offline, for example, or, more ominously, could route traffic to another destination where the traffic can be intercepted.

In that definition, were not looking at how the flaw got there in the first place, Eng said. "Were just taking it as a fact that yes, its there and yes, people could do bad things with it."

The flaws could well be simple programming mistakes. "In most cases, when a vulnerability in a piece of software is discovered and made public, its because of an implementation error on the part of the [developer not having] adhered to secure programming guidelines," Eng said. "Its just a mistake. Programmers do it all the time."

On the other hand, if the flaws are a backdoor, was it planted into the code base intentionally, by someone who gained access to the code base? Such could be the case with a disgruntled developer who had access to the code base, Eng said, or somebody who didnt already have access to the code base launched an attack on Cisco, gained access to the code base and surreptiously made changes. Then, once the code ships, such access to routers gets pushed out to all Cisco customers, he said.

If the flaws werent intentionally planted, then they at least highlight the need for more frequent and better security reviews, Eng said, given the number of versions of IOS that harbor the flaws "This is an FTP interface and an authentication mechanism," he said. "Maybe they need better focusing of security reviews to look at these critical components, and look at these things that are liable to be exploited. With five versions of 12 [affected, etc.], they might need to do this more frequently to catch these things."

Use of the IOS FTP Server is an optional service that is disabled by default. Users can disable use of the server by executing this command in configuration mode:

no ftp-server enable

Cisco has supplied other mitigations here in Ciscos Applied Intelligence document, a companion to the advisory.

Cisco hadnt responded to a request to comment on the issue by the time this story was posted.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.