Security Basics mailing list archives

Re: Cisco Workaround

From: Jac <jac_des_vert () yahoo com>
Date: Thu, 31 Jul 2003 03:52:47 -0700 (PDT)

Oh, you guys are no fun at all.

The key to a conspiracy theory is that the facts have
to at least marginally support the theory and not
prove it. Just enough evidence to make one paranoid
but not make you want to hide in your fall out
shelter.

This is perfect for a conspiracy, Very large company
finds problem, exploits the security nervousness of
the market to get everyone to upgrade to the most
recent version and saves a big wad of cash by doing
so. This has more realism than the grassy knoll
theory.

The support money that cisco makes is just the point
that makes the  theory work. If I can collapse down to
less versions or IOS, meaning one version for each
feature set, thus upgrading all the systems to the
latest, you will take less support calls because you
will deal less often with users with older versions.
If there are less older versions out there then you
don't have to deal with people calling about problems
that you fixed in newer software and thus lower your
over all calls. Less calls means less resources and
thus less costs. I wasn't suggesting that they would
all collapse into a single IOS version. Thus the
argument isn't "silly."

The convenience of the flaw isn't that they added it
but that it just came up at a time when it was
convenient to use. The multiple versions of IOS in
active use could be quickly brought to a smaller
number by a dangerous flaw. And conveniently the flaw
was dangerous enough that admins would do the upgrade
ASAP and reset their machines. They did the work, and
you didn't have to take a lot of responsibility or
have to fight with them to get them to upgrade.

As for the flaw itself being rare, well, that's
exactly the type of thing hackers look for. They want
something to break stuff and the common high use
protocols obviously don't have the problem. The
variations of the TTL, special crafting, and the use
of 76 packets to do it would make this a hackers
pot-of-gold. And it obviously was since it took only 2
days for someone to make an exploit. The typical time
estimate for announcement to exploit has been 30 days.
I think cisco got lucky that no one was very inventive
with testing their routers. The only problem I have is
how many other types of routers may have similar
issues. (That makes me a bit nervous at times.)

In the end you're correct, that cisco did the right
thing and that there is no conspiracy (no matter how
fun it is to poke fun at it). I have found little
press that makes this out to be a big deal, which it
was at least from the amount of work I had to do and I
can guess there were others that had much more than I.

Jac


--- James Fields <jvfields () tds net> wrote:

This sounds false on its face.  Cisco actually makes
a great deal of
money from providing support (trust me, I know what
my company pays for
a blanket contract and it's enough to put several
Cisco-kids through
college every year).

There's a pretty good reason why this flaw wasn't
found sooner - the
parameters required to exploit the flaw are a
combination of things that
are extremely unlikely to occur naturally.  Three of
the four protocols
are not something you'd intentionally target at a
router.  The fourth
(PIM) is something you would target at a router if
you needed it, but my
understanding is with PIM support in the IOS and
enabled, the router
isn't affected.  Further, for all four protocols the
TTL on the packet
has to be exactly at the point of expiring to get
"wedged" in the input
queue.  It is very rare for any packet's TTL to
expire exactly at the
place where it is intended to land except during
traceroutes - the only
other time it is common for a TTL to expire is where
there is a routing
loop somewhere in a network.

What is quite possible is that once in a VERY long
while a router might
be affected by something in these protocols, but
since it takes a lot of
these special packets to fill the input queue in
many cases people may
not know they were being affected at all, or may
have opened TAC cases
wondering why their input queues seemed to be stuck
at something higher
than 0.  I would bet a (small) sum that up until the
flaw was announced
and hackers got busy creating exploits, there were
no documented cases
of a router's interface getting hosed this way that
were attributable to
this kind of traffic.

How exactly would Cisco "conveniently" find this
flaw?  Are you
suggesting that they somehow introduced it?  How
could they do that when
it is apparently in every IOS since 1994?  That
certainly seems to be
the suggestion given your assertion that it is odd
that it wasn't
discovered sooner.

I do not think we are praising them for having such
a nasty bug.  I
think the reason Cisco is looking OK is that Cisco's
behavior in
revealing it themselves is seen in contrast to so
many companies who A)
don't find their own flaws and B) ignore them or
deny them when
notified.  If you wanted them to be like everyone
else, they could
simply have kept this one to themselves and hoped no
one would find it
for a couple more years, counting on most everyone
upgrading past the
vulnerability.  Based on how long it went
undetected, they could have
tried that.

On Wed, 2003-07-30 at 07:33, Jac wrote:

As to support, I heard an interesting conspiracy
theory related to Cisco support and the IOS flaw:

The theory is that Cisco had far to many IOS

versions

that they support in the field and in order to

reduce

support costs they "conveniently" found this flaw

with

the IOS software and used it to propel an upgrade

of

all IOS system. Thus reducing the overall costs of
support and saving Cisco a large amount of $$$$$.

I have found it strange that such an easy and
dangerous flaw has not given Cisco a black eye on
this. Micro$oft constantly is getting beaten for

less

dangerous flaws in their OS and other softwares,

but

Cisco actually has gotten praise for having found

and

published the flaws details [as limited as those
details were].

What do you think?

Jac


"I'm not paranoid, everyone is out to get me."


-- 
James V. Fields

---------------------------------------------------------------------------

----------------------------------------------------------------------------



__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

RE: Cisco Workaround, (continued)
- RE: Cisco Workaround Tim Donahue (Jul 28)
  - RE: Cisco Workaround Ghaith Nasrawi (Jul 28)
- RE: Cisco Workaround Noonan, Wesley (Jul 28)
- RE: Cisco Workaround Martin, Olivier (Jul 28)
  - Re: Cisco Workaround joshua sahala (Jul 28)
- RE: Cisco Workaround Ghaith Nasrawi (Jul 29)
  - Re: Cisco Workaround stephane nasdrovisky (Jul 29)
    - Re: Cisco Workaround Jac (Jul 30)
    - RE: Cisco Workaround Todd Mitchell - lists (Jul 30)
    - Re: Cisco Workaround James Fields (Jul 30)
    - Re: Cisco Workaround Jac (Jul 31)
    - RE: Cisco Workaround Adam Overlin (Jul 31)
    - RE: Cisco Workaround Paul Benedek (Jul 31)
  - RE: Cisco Workaround James Fields (Jul 29)
- RE: Cisco Workaround Dozal, Tim (Jul 30)
- RE: Cisco Workaround Adam Overlin (Jul 31)
- RE: Cisco Workaround Vachon, Scott (Jul 31)