back to article Lock up your top-of-racks, says Cisco, there's a bug in the USB code

It's 2015, and the right stuff on a USB stick can still crash a substantial switch. Cisco hasn't yet worked out how to fix this vulnerability, and as a result, the details it offers in the advisory are sparse. What we can glean from the note is that the crash can only be triggered by a local user. Here's how Cisco explain the …

WTF?

"There are no workarounds that mitigate this vulnerability."

They shipped a product with a USB port and no way to disable the USB port in hardware, firmware, or software?

3
0
Anonymous Coward

Re: "There are no workarounds that mitigate this vulnerability."

Silicone Glue will disable the USB port.

4
0

Re: "There are no workarounds that mitigate this vulnerability."

Ummmmm, do we need to bring up the vulnerability of a ethernet cable being unplugged when it is out in the open? It is 2015 folks and most of us have been locking equipment in special closets or in data centers for years. Anyone who has their stuff open to the world is just asking for trouble.

1
0

It's 2015, and there are still far too many hardware manufacturers that naively trust anything that can be plugged in, read from, or sent to their devices. We live in a world where all developers from the low-level device I/O guys to the top-level app developers need to assume that someone somewhere at some point try to send malicious data to them, and code appropriately.

It's a bad bad world out there. Assume malicious intent from any data you receive.

5
0
Silver badge

I think more like everyone assumes someone else will be doing the security stuff. Since management doesn't make it a priority, why should the troops in the trenches try?

5
0
Silver badge

“The vulnerability is due to insufficient handling of USB input parameters. An attacker could exploit this vulnerability by sending crafted USB parameters to be processed by the kernel of an affected device”

What exactly does the buzzword bingo mean? It could be read as the drivers are garbage.

0
0
Silver badge

"insufficient handling of USB input parameters"

"It could be read as the drivers are garbage."

I think that's exactly what it's saying.

2
1
Silver badge

> What exactly does the buzzword bingo mean? It could be read as the drivers are garbage.

Sounds like code for a stack overflow bug. "Insufficient handling" means it doesn't length check properly and "crafted" means if you stick some Intel op codes in the overflow part, they get executed.

1
0
Anonymous Coward

This is not just a security problem

Sanity validation should be performed at all stack layers from devices up to applicatin services. All input should be considered likely to be invalid from network, USB, and any other input device, peripherals...

Failure to do so encourages impossible to diagnose "unknown error" code, and exposes a risk of both malicious and simply rubbish code to cause confusion, delay, and exploitation.

/EndRant

1
0
Coat

Re: This is not just a security problem

"unknown error"

I get that a lot from Windows Update.

1
0
Paris Hilton

Re: This is not just a security problem

"unknown error"

This one always gets me. Is an unknown error better or worse than a known error?

On the one hand, how does the software know there's an error if the error's unknown?

On the other hand, if the error's known, why didn't the developer fix it before shipping the software?

0
0
Anonymous Coward

same code as basic edge switches

not the first time. this sounds very similar to what could occur on the 2960s range (their more basic edge switches) - something like a USB stick formatted for different platform (eg xfs/zfs or HFS+) would probably do the trick :/

0
0
Anonymous Coward

Dear armchair developers, thanks for repeating the same truths we all know.

Dear armchair developers, can you tell us a foolproof way of ensuring that all inputs every are always checked for every possible invalid value so we can prevent this from happening again?

1
4
Bronze badge

Re anonymous coward

>can you tell us a foolproof way of ensuring that all inputs every are always checked for every possible invalid value

First of all, do not -- repeat *not* -- automatically execute code from anything plugged into a system. Second, if you're using a 'proper' OS disable automatic mounting of an external drive.

Third, particularly important for embedded systems, is that all input data needs to be checked for off-the-wall values. If its configuration data that's legal but could cause improper operation of the unit in its target environment then you need to control who gets access and why.

Simple stuff. Routine for programmers -- at least it should be. Unfortunately we're plagued with people who only know Windows like end user systems, who think its natural for USB sticks to automatically mount themselves and run code because they're USB sticks. Its time to learn the truth -- all storage, USB sticks included, is harmless unless you use the data on it.

1
0

Re: Re anonymous coward

Reading the data may not be necessary to hit the problem - from the description it sounds more like a vulnerability in either the USB protocol code or the filesystem driver, so the exploit would involve a USB stick with customised firmware on its microcontroller, or a custom filesystem creator to write wacky stuff into filesystem metadata.

1
0

Dear armchair developers, can you tell us a foolproof way of ensuring that all inputs every[sic] are always checked for every possible invalid value so we can prevent this from happening again?

Sure thing. Check for valid values instead and discard anything else.

Yes, yes, I know that's not always a simple task, but I do think many software vulnerabilities could be avoided if developers were in the habit of always checking that input is exactly the type of input expected before acting on it in any way.

If you're expecting a record containing 3 fields, it's much better to verify it really contains 3 fields before you go on to the next step, instead of hoping to catch the error when something goes wrong because it contained 2 or 4.

1
0
Bronze badge
Facepalm

Dear armchair developers, can you tell us a foolproof way of ensuring that all inputs every are always checked for every possible invalid

Yes, we could - but you Real People out there in the "Real World(tm)" wouldn't be able to understand it and why should you; you know every truth there ever was already.

PS:

Inverse the the problem, your proposed "Check all Possible States of the Universe" becomes "Only handle what "you" *know* *how* to handle and reject everything else". Compilers work like that and everything plugged into the live Internet does too.

PSPS:

It's not an arm chair that I have here, it's a massage chair. Leather. Details matter.

1
0
Mushroom

Not the biggest threat

If you're trusted sufficiently to get close enough to one of these routers to plug in a malicious usb key, presumably you're also close enough to pull out the power cable, take a hammer to it, or simply hit the off switch!

5
0

Re: Not the biggest threat

. . . but people do inadvertently pick up the wrong stick, forget what they MEANT to do/WERE doing, not realise that they've picked up some malware, etc. etc. The information doesn't provide any information that specifies associated user actions which implies that just inserting the USB stick may be enough.

The person doesn't need to be malicious for bad things to happen.

3
0

Re: Not the biggest threat

Covertly setting up eavesdropping on installed gear, or installing backdoors during maintenance or equipment delivery... these are both things that happen:

https://www.techdirt.com/articles/20140124/10564825981/nsa-interception-action-tor-developers-computer-gets-mysteriously-re-routed-to-virginia.shtml

0
0
Silver badge

Cisco

the Adobe of networking.

0
0
FAIL

Denial of service

So, what they are saying is that, given physical access, someone with a specially crafted USB key can cause a denial of service. What about just pulling the power cord? Denial of service achieved, and much less time-consuming than going to the lengths of creating that magic USB key.

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017