The
IOS vulnerability threat just ratcheted up a notch with another first - someone has actually developed a malicious
rootkit for any version of
IOS that runs on
Cisco's routers, a development that has placed increasing scrutiny on the routers that make up the majority of the Internet and corporate networking infrastructure. The researcher will unveil his work on May 22 at the
EuSecWest conference in London.
A
Cisco rootkit is particularly worrisome because, like Microsoft's Windows,
Cisco's routers are very widely used.
Cisco owned nearly two-thirds of the router market in the fourth quarter of 2007, according to research firm
IDC.
This will no doubt compound concerns by the FBI after their disclosure that vast quantities of
counterfeit Cisco gear (from China) is being sold and installed into government and military networks.
Rootkits could potentially be hiding in these routers with no current way of detecting them. The U.S. Federal Bureau of Investigation is taking the issue of
counterfeit Cisco equipment very seriously, according to a
leaked FBI presentation that underscores problems in the
Cisco supply chain.
This is the next milestone in the
IOS Vulnerability Saga we have predicted and been following for some years now. The last such milestone was the shocking disclosure of
IOS Patching
shellcode revealed by a researcher in 2005 that led to the infamous lawsuit and
CiscoGate Saga as
Cisco tried to quash the information.
IOS patching
shellcode could compromise a
Cisco router, but those programs are custom-written to work with one specific version of
IOS and details of how to accomplish this have been sketchy.
The
shellcode revelations were very shocking because, until then, nobody thought you could actually build exploits for
Cisco, but this
rootkit is the next step to point-and-click
IOS exploits.
Cisco routers are typically compromised by hackers who are able to guess their administrative passwords, said Johannes
Ullrich, chief research officer with the SANS Institute. But there are few tools around to check these systems for signs of hacking. "How would you find out?" he said. "That's the big problem.". In addition, as we have documented previously, patching
IOS is no simple affair.
My company saw this coming almost 2 years ago and our teams developed a
Secure Network Infrastructure Assessment for our clients
concerned about the vulnerability of their
IOS estate as well as the proper security configurations of these devices. It has had very brisk uptake so at least some early leaders are starting to introduce the required tools to mitigate this risk. We also have a little online
IOS Security self-assessment if you own
IOS real-estate and want to know if you should be concerned
Since May 2005 we have made several predictions/postings/observations on this topic:
March 2006
The challenge of Cisco device patchingDecember 2005
Lock down IOS in 10 stepsHacking to change tack in 2006Cisco's Chambers on IOS vulnerabilitiesISS withholding another 15 IOS vulnerabilitiesNovember 2005
IOS exploit and auditing toolsIOS makes it to SANS Top-20 vulnerability listSecurity set back six yearsCisco IOS next big concernNew IOS flaw patchedSeptember 2005
New critical IOS flawAugust 2005
Cisco.com breachedCiscoGate:The Lynn interviewCiscoGate:Advice for customersCiscoGate:Microsoft shows the wayCisco IOS Flaw saga continuesJuly 2005
Pulled IOS presentation spreads like wildfireCisco & ISS Public Relations disasterCisco & ISS file for injunction at BlackHatCisco coverup ignites BlackHat controversyCisco warns of serious IOS flawsJune 2005
Hackers to target Cisco next?May 2005
Best you patch your IOS nowThe challenge of Cisco Network Device Patching