Researchers warn of new attack methods against Cisco IOS

Several new attack methods against Cisco IOS were uncovered during an analysis conducted by researchers at Information Risk Management.

Cisco Systems' Internetwork Operating System (IOS) is susceptible to attacks in which hackers could cause a denial of service or launch malicious code, according to an analysis conducted by researchers at London-based Information Risk Management (IRM).

IRM Chief Research Officer Andy Davis conducted the Cisco IOS security analysis over a two-month period along with senior consultants Gyan Chawdhary and Varun Uppal. The analysis includes videos demonstrating three different shellcode techniques the researchers used to gain remote level 15 (root) exec VTY (shell) access to IOS.

Each piece of shellcode was written in PowerPC assembly language and launched from within a development environment rather than the payload to an exploit, the researchers noted, adding that the development server is connected to the Cisco router 2600 Series via a serial cable and Ethernet for TCP/IP communications. "It takes a short while for the shellcode to start functioning as it has been hooked into the IOS image checksumming routine that runs every 30-60 seconds," the researchers said. "When each starts running, the arbitrary text ' ' is displayed on the console to indicate successful execution of the shellcode."

Cisco news:
Does security fit into Cisco's wireless agenda? Cisco Systems has unveiled new products in recent months to fill customer demand for more wireless networking capacity. But with more threats being directed at wireless users, is Cisco ready to address security issues?

Cisco users upbeat about security direction: Cisco customers say the vendor's security strategy is headed in the right direction, which is why they believe the networking giant's IronPort integration will be smooth sailing.

Cisco warns of critical IOS flaws: Attackers could exploit multiple flaws in Cisco's IOS to cause a denial of service or remotely execute arbitrary code.

The researchers say there are numerous other IOS security issues that will be released in the near future.

Cupertino, Calif.-based Symantec Corp. found the research noteworthy enough to flag it in an advisory to customers of its DeepSight threat management service.

"A successful attack may allow an attacker to execute arbitrary code and gain unauthorized access to the device," Symantec said. "Attackers can also leverage this issue to cause an affected device to reload, denying service to legitimate users. A sustained denial-of-service condition can arise due to repeated attacks."

Judging by the limited information in the security advisory, Symantec said, it is assumed that all Cisco IOS 12.x and IOS XR versions are affected. But Symantec said it can't verify that as yet.

Kevin Petschow, a spokesman for Cisco's Product Security Incident Response Team (PSIRT), said in an email exchange that IRM approached Cisco with its findings prior to issuing its news release, and that the networking giant doesn't see this as a flaw within IOS.

"We have confirmed the information provided does not represent a security vulnerability, but rather the proof that third-party code can be injected by users who already have physical access and full privileges software access to the Cisco IOS device," he said. "The third-party code is calling existing functions within Cisco IOS in the same manner as a legitimate Cisco IOS user would do upon issuing commands."

To mitigate the threat, Symantec recommended users block external access at the network boundary unless external parties require service, and deploy network intrusion detection systems to monitor network traffic for malicious activity.

Dig deeper on Network Device Management

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close