Cisco Router Vulnerabilities

Cisco has posted a notice on three vulnerabilities they just patched concerning routers and switches running their Cisco IOS or Cisco IOS XR software, that could enable someone to craft an IP option Denial of Service (DoS) attack. You can view all of Cisco’s security advisories here Cisco Security Advisories and Notices. Here is a quote from the most dangerous flaw,

Cisco routers and switches running Cisco IOS or Cisco IOS XR software may be vulnerable to a remotely exploitable crafted IP option Denial of Service (DoS) attack. Exploitation of the vulnerability may potentially allow for arbitrary code execution. The vulnerability may be exploited after processing an Internet Control Message Protocol (ICMP) packet, Protocol Independent Multicast version 2 (PIMv2) packet, Pragmatic General Multicast (PGM) packet, or URL Rendezvous Directory (URD) packet containing a specific crafted IP option in the packet’s IP header. No other IP protocols are affected by this issue.

To determine the software running on a Cisco product, log in to the device and issue the show version command to display the system banner. Cisco IOS software will identify itself as “Internetwork Operating System Software” or simply “IOS”. On the next line of output, the image name will be displayed between parentheses, followed by “Version” and the IOS release name. Cisco IOS XR software will identify itself as “Cisco IOS XR Software” followed by “Version” and the version number. Other Cisco devices will not have the show version command or will give different output. Source: Cisco Security Advisory: Crafted IP Option Vulnerability

Sans Internet Storm Center has released an article describing all three,

Crafted TCP Packet can cause denial of service (cisco-sa-20070124-crafted-tcp)
A remotely-exploitable memory leak in the Cisco IOS software could lead to a denial of service condition. This vulnerability applies to much of the IOS 12.0, 12.1 and 12.2 code base.

Crafted IP Option vulnerability (cisco-sa-20070124-crafted-ip-option)
By sending certain ICMP, PIMv2, PGM or URD packets with a specific IP option set to a Cisco IOS or IOS XR device, an attacker could cause the device to reload or even execute arbitrary code. This applies to a wide variety of releases.

IPv6 Routing Header vulnerability (cisco-sa-20070124-IOS-IPv6)
Certain crafted IPv6 Type 0 routing headers could crash a device running IOS. Source: Cisco vulnerabilities

Cisco has released Applied Intelligence Response bulletins for each vulnerability, which could help you detect someone trying to exploit these vulnerabilities.

Detecting and mitigating cisco-sa-20070124-crafted-tcp
Detecting and mitigating cisco-sa-20070124-crafted-ip-option
Detecting and mitigating cisco-sa-20070124-IOS-IPv6

As Brian Krebs of Security Fix said, it’s time to reboot the Internet again,

Cisco Systems Inc., the company whose hardware routers are responsible for handling the majority of the world’s Internet traffic, today issued patches to fix at least three very serious security holes in its products. This is generally not something that the average user needs to worry about, but I’m blogging on it because the flaws do have the potential to cause some problems that Internet users could experience in a very real way (i.e. e-mail and Internet access temporarily goes bye-bye).

Most Internet service providers will stagger the installation of these patches so as not to disrupt customers’ online connectivity, but one of these flaws appears to be so easy to exploit that if the bad guys figure out how before ISP get around to patching then we could very likely see portions of the Internet go dark soon. source: Time to Reboot the Internet Again

Ah, such is the Internet, if it wasn’t for security vulnerabilities all we’d have left to talk about would be which platform is better, Windows, Linux or OS X.