New Cisco IOS bugs pose tempting targets, says Black Hat researcher

VoIP implementations, basic coding within the devices and few router security features have made them an increasingly attractive target.

LAS VEGAS -- While there haven't been any large-scale attacks exploiting network router vulnerabilities, VoIP deployments and new Web services features -- sometimes enabled by default -- make the devices increasingly attractive targets for malicious hackers.

That was the message Wednesday from security researcher Felix "FX" Lindner, a featured speaker at the Black Hat USA 2009 briefings and conference. Lindner presented a way hackers can compromise Cisco Systems Inc.'s Internetwork Operating System (IOS), the underlying OS of the networking giant's routers.

By exploiting weaknesses in the router's basic internal code, an attacker would be able to execute malicious code and gain access to critical systems. Router operating systems are based largely on Unix architectures and are easy to exploit if a hacker knows the right way to navigate through the code, Lindner said.

"I think it's well established that infrastructure is where attackers want to be," Lindner said. "Obviously a couple of obstacles make it harder to write deeper exploits for Cisco routers … but someone at some point in time is going to have the right idea."

One reason why attackers typically do not exploit router flaws in large numbers, Lindner said, is because so little is known about the vulnerabilities contained within the devices and little related research has been published. Cisco fixed 14 vulnerabilities for IOS last year. Among its enterprise networking vendor rivals, Juniper Networks Inc. only reports memory leak and OpenSSL issues, and little information is provided by Nortel Networks Corp., he said.

Lindner laid out three classes of vulnerabilities that could affect routers today: service vulnerabilities, client-side vulnerabilities and transit vulnerabilities.

Last year's SNMP vulnerability affecting Cisco IOS routers is an example of a service vulnerability. It allows spoofing of authenticated SNMP packets. However, Lindner said service vulnerabilities don't expose much functionality to the remote hacker.

"The threat is more from people sitting in your network than people sitting outside of your network," he said.

But new deployments of Internet Protocol version 6 (IPv6) and VoIP installations may make router exploitation more vulnerable to remote attackers. IPv6 was considered a security threat due to the many net tunnels used to connect to IPv6. The issue is being addressed, but any new technology poses increased risks, Lindner said. Also, router device maker Huawei Quidway's devices come with VoIP and Web service routing services enabled by default.

Routers are also virtually immune to client-side vulnerabilities because they rarely are used as clients. Transit vulnerabilities are triggered by traffic passing through the router and so far this class of vulnerabilities haven't affected routers.

Exploiting routers to cause a denial of service or launch malicious code against targeted machines is still a highly technical and difficult endeavor, but over time, Lindner said attackers will have more attack vectors.

"Routers don't expose much functionality to the attacker," Lindner said. "Over time I think we'll see more exploits."

Dig Deeper on Network device security: Appliances, firewalls and switches

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.