Cisco IOS Bug Discovered
The problem was discovered through Cisco’s internal testing of devices running IOS software, says Robert Barlow, a spokesman for the company. The vulnerability is present in all routers running IPv4, the predominant version of Internet Protocol. It does not affect routers that are only running IPv6.
According to the advisory posted on Cisco's Website, a DOS attack can be launched through a rare, specially crafted sequence of IPv4 packets. The problem occurs when the special sequence of packets incorrectly flags the input queue on the router interface, making the router believe that it can’t handle any more incoming traffic. The router then stops processing inbound traffic on that interface and packets are dropped. These kinds of attacks do not trigger any alarms and can be repeated until the device is inaccessible.
The device must be rebooted to clear the input queue on the interface, and will not reload without user intervention. The attack may be repeated on all interfaces causing the router to be remotely inaccessible, according to Cisco’s alert.
Cisco began contacting customers, including Internet service providers, corporations, and government, academic, and Internet security organizations regarding the problem, late on Tuesday. It’s also been providing free software on its Website to fix the problem, along with requested support from its Technical Assistance Center (TAC).
Cisco and at least two service provider customers -- AT&T Corp. (NYSE: T) and Cable & Wireless (NYSE: CWP) -- say there have been no known attacks due to the vulnerability. It had been rumored on the North American Network Operators' Group (NANOG) email list that AT&T's West Coast routers may have been affected by the vulnerability. Dave Johnson, a spokesman for AT&T, denies this and says yesterday’s problem was due to a misconfigured router in San Francisco.
“It was a human error and not a software or hardware problem,” he says.
So how are AT&T and other carriers dealing with the fixes? Johnson says his company has been working around the clock to apply Cisco's recommended fixes to all of its routers. But he wasn’t able to estimate when he expects the process to be completed.
Richard Starnes, director of incident response for Cable & Wireless, says his team has finished its initial phase of fixing the problem. His team started by securing its borders and external-facing routers. This included setting up access control lists, which would only let certain known packets through the routers. The team also immediately began upgrading new software from Cisco onto critical routers that could not afford service degradation from stringent access control list rules. After completing this initial phase, the carrier has moved onto fixing routers on its internal network.
“I would say we are looking at a couple of days, maybe three days of work left,” says Starnes.
While the potential threat of a DOS attack is certainly something to be concerned about, Starnes says he thinks people are overreacting.
“A lot of times people are scared of things they don’t understand,” he says. “We deal with these kinds of bugs all the time, and we’re ready for them. There’s no need to run out and buy bottled water or canned goods and head for the hills.”
— Marguerite Reardon, Senior Editor, Light Reading