A researcher has discovered a way to reliably exploit a known security vulnerability in a wide class of Cisco System routers, a finding that for the first time allows attackers to hijack millions of devices with a single piece of code. The discovery by Felix "FX" Lindner of Recurity Labs in Berlin brings the write-once-run- …
""Nobody ever updates them, and not because they're lazy, but because the update breaks so many things."
That's because their QA is quite frankly shit. Every single IOS I've ever used has had glaring and obvious bugs that shouldn't have got past testing.
The general rule is stick to a version which works for you and never upgrade. Until cisco actually start testing their IOS releases prior to shipping them nobody is going to change that.
What really annoys me is that, unless you have a support contract, it's nigh impossible to get any sort of patches out of Cisco. Even bugfixes addressing a known exploited vulnerability.
I understand that IOS is their crown jewels, and obviously they don't want to give the source away to any Tom Dick or Harry, but really when it comes to patching faulty code they should be begging the users to take the fixes.
@Tony Holye re. Not surprising
"..Every single IOS I've ever used has had glaring and obvious bugs that shouldn't have got past testing..."
Testing? What's that for? Our world class development team tested it as they built it and they've shown it working to senior management. What more can you need? The problem with you is that you're not a team player!
(Weary and cynical systems test engineer shrugs and walks away)
End of support comes fast too
There's a hell of a lot of routers out there more than 4 years old, which means they'll never get updates coded for fix new vulnerabilities. Cisco have got complacent and assume it will force people to upgrade to their own newer products, but once you're upgrading other vendors offerings look mighty attractive, cheaper, and even free in the case of Quagga and the like - especially for Ethernet to Ethernet routing.
Totally agree with everyone else on the QA front - people stick with an IOS that works for years and years rather than discovering the latest bugs, recent code for the supposedly top of the line 6500 has been especially poor.
Well *sure* we tested it, but that was on IOS version 12.3.(TPS)/J-woowhoo Enterprise, you're running 12.3.(TPS)/J-woowhoo Enterprise *Plus* you silly goose.
The article says that there's more than 15,000 supported builds out there... Damn, I knew that there were an ungodly number, but I had no idea it was that extreme!
(somewhat) Funny war story to cheer up the router gods out there: I was working at a small ISP back in the late 90's (the kind of ISP that bought used 2500s and 3640s but no support contracts, so you fret over a collection of IOS .bin files). We turned up a bonded pair of T1s from a tier 1 ISP who will remain nameless, and had some speed issues.
To test the line speeds, their tech support guys directed us to a private FTP server. The server had a fat pipe to their backbone, and was dedicated to customers like us. SOP was to upload and download a fairly good size (say several MB) file directly from your router and see what transfer rates you got (directly from the router so that they weren't stuck debugging your internal network issues).
Hmmm, now what files would one have handy on the router that fit the size requirements? Bingo! IOS images. Since the site was semi private, they had a nice big shared directory with o+rw, which happened to have some images with more bells and whistles than my stock ones.
@Tony Hoyle - Agree
When I was (young) and naive, I used to update my IOS images fairly regularly. After getting my arse bitten far too many times I gave up. When we'd binned our 6500 switch, it had been running the IOS that came from the factory for 5 years.
IOS releases just have far too many regressions and you need your core network to be rock solid.
Anyway, who can afford to take their network to go down every few weeks as they upgrade all their IOS images.
Agree with AC
Until Cisco provide updates free like every other company does nobody can update thier IOS. I update my HP switches because I can download the updates easily.
The end of the internets.
You mean you don't have hot-swap routers available in case of hardware failure, that you can swap in and cycle back when the upgrade is done *gasp*
Vindicated at last...
Every time I have evaluated a Cisco device against something else, the result has gone badly against Cisco.
As a result, my, sometimes international, networks have been secure for many years, however, it appears that I am NOT a network engineer, despite my 30 years experience, as I do not have Cisco accreditation.
Agencies will not pass my application form through and if they did, the employer now also believes that Cisco === Networks.
I agree wholeheartedly. However Cisco are even worse than most people imagine; updates for free? What updates, you need to download the whole IOS image. And that's why they don't do free updates. If they produced patches then you would need the original IOS image for the patch to work, however in most cases you need to download a complete IOS image so this would mean them giving away the latest IOS for free to everybody who wanted it. In particular it would allow you top upgrade from the standard image to the full service provider image.
It's strange because I'm in the middle of... updating the firmware on a bunch of Cisco switches.
I downloaded the new image file from Cisco yesterday. The website kept timing out but I persisted and got a copy of the image file I wanted. It wasn't the latest version (which got me a Forbidden error *after* showing the download page) but just one to bring all the older versions up to the same version as the 3750Gs.
So you can have updates for free as long as you don't want the latest.
Oh noes! Now I've read the article it looks like it's better to have lots of different versions because a vuln in one will be applicable to all if they're all the same. Oh wait a minute this is about *routers*, I'm updating *switches*. That means I'm safe doesn't it? Doesn't it?
Testing at Cisco is crap, I know as I used to do it. Single module regressions often run for over a day (daily obviously) and produce masses of verbose output. This is then "analysed", and any new breaks raised as bugs.
At this point people start playing pass the bug as "that's a <insert different module name here> problem" and you end up with huge bug lifes (I once saw a bug with a life of over 1000 days....)
15,000 images sounds like too few. By the time you take 12.0 - 12.5 (when I was there) multiply up by the various supported platforms for each multiply up by the feature sets and add on special brews for various customers with deep pockets and I am surprised it's only 15k! Finding the correct image in that place was always fun.
But then this half the testing issue: each bit of test code is cross compiled to suit various platforms and feature sets and there is no way in hell all of them are/can be tested.
<i>That's because their QA is quite frankly shit. Every single IOS I've ever used has had glaring and obvious bugs that shouldn't have got past testing.</i>
Quit whining, the IOS code builds, that is quite enough quality for the likes of you ;-)
Find your dude
I agree with everyone so far. And I'd like to add that since the IOS has been pirated nobody should consider it secure. Pretending vulns don't exist is what large computer corporations do as a matter of history since the 70's. It's just how it's done.
For good advice on the subject you should find the closest Cisco corporate office. Ask for a sales call and request an engineer. If you don't have anyone local, then call someone at Cisco. It's more difficult over the phone to be sure. So good luck.
A real Cisco engineer that will come over for free and give advice is a good thing. And having another person to blame when something goes wrong is always good. Setting up that kind of relationship made all those things you are talking about disappear.
And if you can't make that happen then the other commenter is correct. You don't need to buy Cisco equipment. Find your local "dude".
...can't we have at least one "Linux is best at everyting." or M$ bash in an article? What's wrong with you guys! C'mon...