Millions Of Cisco Devices Vulnerable To AttackMillions Of Cisco Devices Vulnerable To Attack

The race is on: Can security managers plug the flaw in the operating system for Cisco Systems switches and routers before hackers take advantage of the vulnerability and crash corporate networks and parts of the Internet? Cisco revealed the operating system problem Wednesday and made available a patch to fix it. But a day later, someone published a method, known as an "exploit," for using the flaw to shut down network traffic flowing through Cisco devices.

That means corporate security and network managers, as well as Internet service providers, need to move quickly to patch their systems before someone uses the exploit to attack their networks. The exploit was posted to the Full Disclosure security mailing list late Thursday. It lets attackers target and potentially shut down individual routers and switches. However, the exploit does not let attackers conduct a widespread, automated distributed denial-of-service attack, which comes from multiple systems toward targeted systems.

But that could change quickly, security experts say. "It's just a matter of writing a script. It's a simple thing to do," says Al Huger, senior director of engineering security response for the security firm Symantec Corp. "It's not a matter of if this will become automated, it's a matter of when." Most Internet security companies have raised their warning levels because the exploit was published. Internet Security Systems Inc. raised its "AlertCon" status to three, with four being the most severe alert level. Symantec has also gone to a level three on a scale of one to four.

There isn't any clear evidence that hackers are using the new exploit, but some abnormal router behavior is being reported, says Shawn Hernan, team leader for vulnerability handling at the federally funded Internet security watch-group CERT Coordination Center. Symantec has seen a small amount of activity around the exploit, Huger says. "It's being used to a small degree. It's being tested."

In the past, hackers generally haven't attacked known flaws in networking gear, Huger says. "This hasn't been the kind of thing used for mass distributed denial-of-service attacks. But all it takes is one person with poor judgment to change that," he says.

The flaw affects versions 11 and 12, up through revision 12.3, of Cisco's Internetworking Operating System. When certain types of Internet Protocol version 4 packets are sent to an unpatched switch or router, the device incorrectly handles the packets and ceases operations. Typically, traffic on the router or switch will be stopped one way for four hours, then, as the device refreshes its tables, traffic heading in the other direction also stops.

Detailed information on the Cisco flaw is available here.

Security experts are very concerned about this because Cisco devices make up about 80% of the switches and routers used to handle Internet traffic, meaning there are millions of potentially vulnerable devices that need to be patched.

"Patching an IOS flaw is no walk in the park," Huger says. "It's something people are loath to do because patching these devices can often cause other problems. But this is one that can't be put off. You have to get to this."

CERT's advisory on the exploit posted Friday can be found here.