Home » Data Protection » Network Security

Opinion

Flaw Watch: Cisco Router Flaw Demands Attention

This week, Cisco patches security holes in several products, including SSH server software used in its routers.

By Bill Brenner, Senior Editor

May 22, 2008 —

About Flaw Watch: Each day, piles of flaw advisories are released by the various vendors, researchers and vulnerability clearinghouses. Since CSOs don't have time to review them all, we zero in on the most pressing issues and what can be done about them.

The security community is paying a lot of attention this week to some fixes Cisco Systems released for such products as its Internetwork Operating System (IOS). The attention is deserved, since a sizable chunk of Internet traffic passes through routers produced by the San Jose, Calif.-based network giant.

As IDG News Service writer Robert McMillan wrote in his report on the matter, Cisco issued three security patches Wednesday to plug holes attackers could exploit to crash those routers. Specifically, the latest problems affect the SSH (Secure Shell) software in Cisco's Internetwork Operating System (IOS), which is used to power its routers, and in the Cisco Service Control Engine, which provides carrier-grade networking services. The vendor also patched a privilege escalation vulnerability in its Voice Portal automated telephone customer service software.

The SANS Internet Storm Center deemed the flaws important enough to flag them on its Web site.

"While the 'Exploitation and Public Announcements' portion of all three advisories states that the vulns were discovered in-house, it's a pretty safe bet that a fair number of security researchers are feverishly reverse engineering the updates to develop exploits for private use and/or public release," the storm center's George Bakos wrote.

Another reason this has received a lot of attention is that Sebastian Muniz of CORE Security was scheduled to release a proof-of-concept Cisco IOS rootkit at the EuSecWest confab this week.

For the sake of balance, it's worth noting that IOS flaws have surfaced repeatedly over the years but there's no evidence the digital underground ever succeeded in launching a major attack through that vector. Of course, one can't assume it'll never happen.

Debian Linux OpenSSL issue

Another issue that's gotten a lot of attention this week concerns a random number glitch researcher Luciano Bello found in the OpenSSL package used in the Debian Linux operating system. In its advisory Debian "strongly recommended that all cryptographic key material generated by OpenSSL versions starting with 0.9.8c-1 on Debian systems be recreated from scratch." Furthermore, Debian said, all DSA keys ever used on affected Debian systems for signing or authentication purposes should be considered compromised.

This is a big deal, according to security luminary Bruce Schneier.

"Random numbers are used everywhere in cryptography, for both short- and long-term security," he wrote in his blog. "As we've seen here, security flaws in random number generators are really easy to accidentally create and really hard to discover after the fact."

This is serious stuff if you use Debian Linux, but it becomes a lot less ominous when one considers that a vast number of IT shops use Microsoft Windows. Windows has been the target of countless attacks over the years, but this problem appears to be specific to the Linux world.