Crafted IPv6 Headers Plague Cisco Routers Again
Yesterday, the US-CERT security awareness team from the Dept. of Homeland Security posted a warning that it had been notified by Cisco that certain of its routers running IOS do not process specially crafted IPv6 headers properly, leading to a potentially exploitable condition.
The warning has ominous echoes of Cisco router vulnerability from the summer of 2005, the precise details of which were divulged in a Black Hat demonstration by an ISS security researcher who got maybe more than five minutes of fame, but paid for them with his job.
Cisco's security advisory for the new problem, posted yesterday, explains that the problem has to do with the way IPv6 Type 0 routing headers may be engineered. When done automatically, they specify the exact route a packet should take to reach its destination. But an intentional permutation of that header could lead to the router crashing. Cisco says a customer discovered the problem and reported it, and while the company was working on a patch, uncovered an additional exploitation vector.
The company also acknowledges that successful repetition of this exploit could be attempted by a denial-of-service attack, though neither Cisco nor US-CERT report any active exploits in the field. Not all Cisco routers are vulnerable, and fixes for the problem are already available for many models. Cisco listed a complete table in its advisory yesterday.
In July 2005, security researcher Michael Lynn used information he’d learned while consulting for Cisco to demonstrate techniques for crashing Cisco routers, during a Black Hat conference in Las Vegas – techniques which reportedly included crafting IPv6 headers in ways that routers couldn’t parse, causing heap overflows. At the time, Lynn hyped the possibility of a “digital Pearl Harbor,” warning that hacker sites in China were trafficking in proprietary source code from Cisco routers. At the same time, however, Lynn invoked the first-person-plural in his suggestions for how one exploit could be crafted, as in “We could...” and “We can...” leading to suspicion that perhaps it wasn’t China that was most interested in giving denial-of-service a try.
Cisco responded by filing suit against Lynn, ordering him to stop disclosing proprietary information in public and on Web sites; the company also sent letters to sites that mirrored Lynn’s documentation and presentation slides.
11:45 am January 25, 2007 - Late this morning, Cisco spokesperson Kevin Petschow responded to BetaNews as follows: "Cisco is aware of multiple vulnerabilities that may impact Cisco IOS and IOS XR devices and has published three separate security advisories about them. In all cases, Cisco has made free software available to address the vulnerabilities for affected customers. Cisco is also not aware of any current exploitation of these vulnerabilities."
Petschow reiterated that free software fixes are currently available for the recent round of problems. He also stated the 2005 problem made public by Michael Lynn is unrelated to this round of vulnerabilities, and reminded us that Cisco had already been providing patches to the 2005 vulnerability at the time of Lynn's demonstration.