July 18, 2003 1:36 PM PDT
Code to exploit Cisco flaw may pose risk
- Related Stories
-
Twin flaws have security pros worried
July 17, 2003 -
Cisco warns of serious router flaw
July 16, 2003 -
Microsoft warns of critical Windows flaw
July 16, 2003
The code, posted to the Full-Disclosure security mailing list early Friday morning, could be used to disable the Cisco routing hardware that connects many networks to the Internet. Two security companies--Symantec and Internet Security Systems--upgraded their estimation of the level of threat posed to companies connected to the Internet.
"The worry is that someone automates this (attack) and uses it for mass denial of service against people who haven't upgraded their routers," said Al Huger, senior director of engineering for Symantec's security response team. "I don't tend to be alarmist, but I think this one is a pretty legitimate concern."
Symantec on Friday raised its measure of the threat to 3 from 2. The five-point scale has been raised to 3 only a handful of times in the last two years, Huger said. The Slammer worm, Code Red worm and Bugbear.B virus incidents each were rated 3.
Symantec's intrusion detection systems have detected light attack activity as a result of the vulnerability. "We aren't (yet) seeing numbers that are really cause for concern," Huger said.
Cisco updated an advisory to warn customers of the public release of the flaw but disputed reports that online vandals were exploiting it. "We have no confirmation of any networks being impacted, and we have no reports of any successful network attacks," said Jim Brady, a spokesman for the company.
Nonetheless, this particular flaw has security experts spooked because Cisco routers make up a large portion of the Internet infrastructure. The routers account for more than 80 percent of the hardware in corporate networks and more than 90 percent of the hardware that makes up the Internet, said Rachna Ahlawat, senior analyst for market researcher Gartner.
"Any hardware that is so widely deployed that is under attack can cause major network disruption," she said. Ahlawat believes that because Cisco found the problem through internal testing and managed to give Internet service providers advanced notice of the issue, there is a good chance that the worst danger is past.
However, security companies don't seem so sure. While ISPs have been rushing to fix Cisco routers, it's unknown how quickly corporations and online retailers have worked to fix their networks.
Internet Security Systems raised its measure of the danger on the Internet to 3 as well. Both Internet Security Systems and Symantec had raised the level to 2 the day before, when the Cisco router vulnerability and a major flaw in Microsoft Windows became public.
"It seems right now that people are testing the exploit code," said Dan Ingevaldson, engineering director for Internet Security Systems' vulnerability research team. "We haven't seen any kind of organized attack, any major attack, or any kind of outage."
The Cisco flaw, as first reported by CNET News.com, could allow an attacker to stop traffic from flowing through vulnerable network hardware. After being advised of the flaw on Tuesday by Cisco, ISPs scrambled Wednesday and Thursday to plug the hole in their network hardware.
Windows warning
That flaw came just after another widespread vulnerability--this one in Windows. Microsoft released its advisory Wednesday, warning that every computer running any version of Microsoft Windows, except for Windows ME, had a security hole that could allow an attacker to take control of the computer.
The Windows flaw is in a service that normally wouldn't be available over the Internet if the system's owner followed strong security guidelines. However, many companies and home users may inadvertently have systems that are connected directly to the Internet and aren't protected by a firewall, security researchers warned.
While a program designed to attack Cisco systems has been published, Ingevaldson hasn't seen any such exploit for the Microsoft flaw.
"We haven't seen any public exploits, but we were able to develop one internally," he said. "And we assume that if we can do it, so can anyone else."
