Thursday, May 15, 2008

Cisco IOS Timebomb - one step closer...

The IOS vulnerability threat just ratcheted up a notch with another first - someone has actually developed a malicious rootkit for any version of IOS that runs on Cisco's routers, a development that has placed increasing scrutiny on the routers that make up the majority of the Internet and corporate networking infrastructure. The researcher will unveil his work on May 22 at the EuSecWest conference in London.

A Cisco rootkit is particularly worrisome because, like Microsoft's Windows, Cisco's routers are very widely used. Cisco owned nearly two-thirds of the router market in the fourth quarter of 2007, according to research firm IDC.

This will no doubt compound concerns by the FBI after their disclosure that vast quantities of counterfeit Cisco gear (from China) is being sold and installed into government and military networks. Rootkits could potentially be hiding in these routers with no current way of detecting them. The U.S. Federal Bureau of Investigation is taking the issue of counterfeit Cisco equipment very seriously, according to a leaked FBI presentation that underscores problems in the Cisco supply chain.

This is the next milestone in the IOS Vulnerability Saga we have predicted and been following for some years now. The last such milestone was the shocking disclosure of IOS Patching shellcode revealed by a researcher in 2005 that led to the infamous lawsuit and CiscoGate Saga as Cisco tried to quash the information. IOS patching shellcode could compromise a Cisco router, but those programs are custom-written to work with one specific version of IOS and details of how to accomplish this have been sketchy.

The shellcode revelations were very shocking because, until then, nobody thought you could actually build exploits for Cisco, but this rootkit is the next step to point-and-click IOS exploits. Cisco routers are typically compromised by hackers who are able to guess their administrative passwords, said Johannes Ullrich, chief research officer with the SANS Institute. But there are few tools around to check these systems for signs of hacking. "How would you find out?" he said. "That's the big problem.". In addition, as we have documented previously, patching IOS is no simple affair.

My company saw this coming almost 2 years ago and our teams developed a Secure Network Infrastructure Assessment for our clients concerned about the vulnerability of their IOS estate as well as the proper security configurations of these devices. It has had very brisk uptake so at least some early leaders are starting to introduce the required tools to mitigate this risk. We also have a little online IOS Security self-assessment if you own IOS real-estate and want to know if you should be concerned

Since May 2005 we have made several predictions/postings/observations on this topic:

March 2006
The challenge of Cisco device patching

December 2005
Lock down IOS in 10 steps
Hacking to change tack in 2006
Cisco's Chambers on IOS vulnerabilities
ISS withholding another 15 IOS vulnerabilities

November 2005
IOS exploit and auditing tools
IOS makes it to SANS Top-20 vulnerability list
Security set back six years
Cisco IOS next big concern
New IOS flaw patched

September 2005
New critical IOS flaw

August 2005 breached
CiscoGate:The Lynn interview
CiscoGate:Advice for customers
CiscoGate:Microsoft shows the way
Cisco IOS Flaw saga continues

July 2005
Pulled IOS presentation spreads like wildfire
Cisco & ISS Public Relations disaster
Cisco & ISS file for injunction at BlackHat
Cisco coverup ignites BlackHat controversy
Cisco warns of serious IOS flaws

June 2005
Hackers to target Cisco next?

May 2005
Best you patch your IOS now
The challenge of Cisco Network Device Patching
Rate this post: (Provided by NewsGator)


Post a Comment

Links to this post:

Create a Link

<< Home