worm blog: Cisco IOS Flaw and Worm Potential

« Worms do China's spying | Main | Impact of network design on worm propagation »

Cisco IOS Flaw and Worm Potential

At this past week's Blackhat Briefings in Las Vegas, Michael Lynn gave a detailed presentation on how to reliably exploit Cisco IOS-based devices (ie routers). For some background on this, read Security researcher causes furor by releasing flaw in Cisco Systems IOS, by Victor R. Garza, posted on 28 July 2005, and this blog post by Matt Webb. Lynn's presentation is akin to Shok's piece on reliable Windows-based heap overflow exploits from some years ago. The trick in successful exploitation on the IOS device is to fool the OS into thinking that it doesn't need to crash the system when it detects memory corruption. This has traditionally been the bane of anyone wanting to exploit an IOS device, because the system would often reboot after an attack, creating a Denial of Service (DoS) condition. Lynn's presentation has the possibility to change that.

In my research on wormability, I found a number of IOS exploits which were listed as DoS conditions because of this. Because of this, IOS devices have rarely been considered for successful worms when used with memory corruption attacks (ie stack or heap overflows). This may now change, and future IOS overflows may be stronger candidates for worms. Lynn noted this, as well:

Later in his presentation, Lynn theorized that a worm using just this type of flaw could be written and create a "digital Pearl Harbor" effectively disabling the Internet globally. Mentioning that corporations utilizing other routers may state that they would be unaffected by such a flaw, should it be utilized, were not being reasonable as those same routers would ultimately be connected to Cisco hardware and thereby effected.

Source: Security researcher causes furor by releasing flaw in Cisco Systems IOS, Victor R. Garza, 28 Jul 2005, posted to SearchSecurity.com.

So, do I think we'll see an IOS worm in the near future? Probably not, if only because of the difficulty in getting the values right for all of the different IOS version and hardware combinations (a micro-diversity situation, if you will). This should make it difficult for one piece of software to migrate from router to router. Instead, I expect we'll see pointed, directed attacks using these techniques. Now, this doesn't mean that some smart attacker could come along and use a worm to successfully spread on IOS devices, I just think it's unlikely given past events and demonstrated capabilities and interests.

With respect to the specific vulnerability involved in this research, it requires link-local access with respect to the router. Very few people have that kind of access to arbitrary vulnerable routers, which helps to mitigate the potential for any such worm.

August 2, 2005 in editorial, media, new trends | Permalink
Tell others: digg submit | del.icio.us this | Reddit

Comments

It's not clear to me how much diversity really is provided by Cisco gear. The processor architecture is common and the code base is fairly common. Even if there is some diversity, CDP and conventional DNS names often give enough information to figure out which diverse platform a neighbor is. The diversity (if it actually exists) would require an attacker to have a separate exploit for each and be able to remotely identify which to use.

The level of difficulty to get such a worm right implies that it would only be used when such an attack would have a great return on investment. Such an attack is not likely to be executed by point-provers or curious grad students. However, should such at attack be executed it would likely be executed by those with the means and intent to do significant damage.

I don't think historical trends provide the right data for accurately projecting the future of worm attacks. The actors, technologies, economics, and motivations are challenging to rapidly to rely on the history accurately. What else to rely on then? Technical possibilities weighted by the likelihood of such possibilities given known actors' motivations (add malice to be conservative). Of course, that won't work perfectly either, but it's better than using distorted a priori evidence.

Posted by: Dan Ellis | Aug 3, 2005 8:48:37 AM

Posted by: ds | Oct 3, 2005 12:12:50 PM

Posted by: cisco | Oct 21, 2005 12:08:23 PM

Posted by: cisco | Oct 21, 2005 12:10:10 PM

Have you seen the video with Cisco ripping up the source code books yet?

Posted by: CiscoHQ CCNA Cisco Forum | Jan 25, 2006 7:06:09 PM

Beautiful place
Cool domain www.wormblog.com
I like what you doing
To show my appreciation
I would like to give you this link
Are you romantic looking for romance? Then you need this site http://www.romancering.us

Posted by: touseSotO | Mar 23, 2009 4:09:58 PM

Glad to be here www.wormblog.com - perfect domain What a perfect idea Be thanksful I would like to give you this link http://www.bannerlot.com - Free banner exchange system

Posted by: touseSotO | Apr 4, 2009 12:42:04 AM

Hi there!
Our company is capable
manually submit your website
thousands of links .
To clarify any your questions, just send us email at info@avazo.com
Always here

Posted by: Avazo | Apr 29, 2009 5:07:58 AM