Cisco IOS Exploitation Technique and Defense In Depth
As many of you have seen, The Register and other main stream media sources are starting to discuss a new technique to reliably compromise a small subset of Cisco gear. The new technique was discovered by FX of Phenoelit and was presented last week at the Chaos Communication Congress(CCC) and is probably the best known cisco exploit researchers.
At the moment, he did not find a way to reliably run exploit code on all Cisco gears. In fact, the method only runs on a small set of powerpc systems (the 1700 and 2600). The method he found uses the Cisco boot loader (ROMMON) and a tool named CIR from cir.recurity-labs.com which works well for the 1700 and 2600 Cisco routers. Using this technique is may be possible to reliably exploit a vulnerability across a number of routers.
By showing this technique at the CCC, he showed the deep need for multiple layers of defenses for the routing infrastructure. If the attackers are able to send packets directly to the router interfaces, then we will continue to have very serious issues with trusting the infrastructure. However, it is recommended that all routers, switches, and other forms of network gear should have appropriate access controls for any traffic which terminates at the router interface. If ACLs are not a viable option, using rate limiting this same traffic may help to slow attacks which require multiple packets to find the sweet spot for execution.
More detailed information about the technique is available in the presentation by FX.
Scott Fendley ISC Handler
Comments