Cisco IOS Exploit Cover Up
Janet Sullivan
ciscogeek at bgp4.net
Fri Jul 29 19:44:28 UTC 2005
Scott Morris wrote:
> And quite honestly, we can probably be pretty safe in assuming they will not
> be running IPv6 (current exploit) or SNMP (older exploits) or BGP (other
> exploits) or SSH (even other exploits) on that box. :) (the 1601 or the
> 2500's)
If a worm writer wanted to cause chaos, they wouldn't target 2500s, but
7200s, 7600s, GSRs, etc.
The way I see it, all that's needed is two major exploits, one known by
Cisco, one not.
Exploit #1 will be made public. Cisco will released fixed code. Good
service providers will upgrade.
The upgraded code version will be the one targeted by the second,
unknown, exploit.
A two-part worm can infect Windows boxen via any common method, and then
use them to try the exploit against routers. A windows box can find
routers to attack easily enough by doing traceroutes to various sites.
Then, the windows boxen can try a limited set of exploit variants on
each router. Not all routers will be affected, but some will.
As for what the worm could do - well, it could report home to the worm
creators that "Hey, you 0wn X number of routers", or it could do
something fun like erasing configs and locking out console ports. ;-)
Honestly, I've been expecting something like that to happen for years
now. <shrug>
More information about the NANOG
mailing list