Cisco Exploit is Active

An active exploit targeting a known denial-of-service vulnerability in Cisco routers and switches has been released on the Internet, prompting security research firms to increase the threat level.

Cisco , which dominates the market for switching and routing equipment used to link networks, issued a patch Thursday to plug the security hole. But the availability of an exploit that’s already being used to target vulnerability routers has sent network administrators scrambling to apply fixes.

Dan Ingevaldson, Engineering Manager for network threat analysis firm ISS X-Force, told a “fully functioning exploit tool” was released on the Full Disclosure security mailing list at 2.28 a.m EST Friday and, immediately after, the company started receiving reports of Cisco routers under attack.

He said the ISS X-Force, which monitors intrusion activity on the
Internet, has confirmed attackers were using the exploit tool to cripple network interfaces and stop routers from routing Internet traffic.

“There have been a few localized attacks with this exploit but, so far, we haven’t received reports of widespread outages,” Ingevaldson said, noting that successful attacks can cause disruption in offices and home networks using vulnerable Cisco routers or switches. “Normal end-users won’t be impacted directly unless the attacks are widespread against ISPs,” he added.

ISS X-Force increased the threat level to AlertCon 3 out of 4 levels in its threat-numbering system, and warned that successful attacks could lead to increased latency and connection to networks timing out. It could also cause a slowdown in e-mail delivery.

The Computer Emergency Response Team (CERT) confirmed the availability of the exploit and again urged that patches be applied to all Cisco devices running Cisco IOS software and configured to process Internet Protocol version 4 (IPv4) packets.

“This exploit allows an attacker to interrupt the normal operation of a vulnerable device. We believe it is likely that intruders will begin using this or other exploits to cause service outages,” CERT warned.

“Many large service providers have already taken action or are in the midst of upgrading. However, if you have not already taken action, we strongly encourage you to review the advisory provided by Cisco and take action in accordance with your site’s maintenance and change management procedures.(Cisco’s advisory, which includes appropriate patches,
can be found here

ISS X-Force’s Ingevaldson said the exploit was especially dangerous
because it offered attackers a “very simple toolkit” to target the
vulnerability. “This is of critical importance. Cisco is the backbone of the Internet in a lot of respects. Cisco runs the vast majority of the infrastructure out there so it’s very easy for attackers to send out packets indiscriminately to vulnerable routers and switches,” he explained.

News Around the Web