[c-nsp] Quick IOS security check

Ted Mittelstaedt tedm at toybox.placo.com
Sun Aug 21 09:54:34 EDT 2005


Here's where they all are:

http://www.cisco.com/en/US/products/products_security_advisories_listing.
html

Unfortunately, the

"TCP Vulnerabilities in Multiple IOS-Based Cisco Products"
that was released April 2005 pretty much makes it impossible to
assume that any IOS older than that date is not vulnerable.

But, going forward, you can do like you were saying, and check
the bug, see if your config has it, if not, then don't update.

Otherwise, like I was saying the best you can do if your running
older IOS is to see if the vulnerabilities in it are exploitable
in the location it's in.  For example, I don't concern myself that
much about the TCP Vulnerabilities bug in IOS that runs on routers
that are on private corporate networks behind a firewall, running
private addresses.  And even in routers that are on the public
network, but are merely serving as passthrough routers, and are
otherwise completely shielded from the Internet.  (ie: a router
in front of a PIX or some such, as you can have the uptstream provider
filter the IP numbers of the router, and leave the IP number assigned
to the PIX alone)

Granted these can be attacked by compromising some host on the
trusted network and using that as a jumping off point, but chances
are much lower, and that is why we run AV software on the corporate
network.

But you pretty much have to assume that any Cisco router that hasn't
been updated since about 4 months ago is insecure.

Ted

>-----Original Message-----
>From: Kim Onnel [mailto:karim.adel at gmail.com]
>Sent: Sunday, August 21, 2005 5:54 AM
>To: Ted Mittelstaedt
>Cc: jcvaraillon at dolnet.gr; cisco-nsp at puck.nether.net
>Subject: Re: [c-nsp] Quick IOS security check
>
>
>well, you could have an IOS that is vulnerable to IPv6 holes, but you
>dont have ipv6 enabled, so i think you need to do it manually, per bug
>not per IOS version: check recent bugs, if u have it, then upgrade.
>
>On 8/21/05, Ted Mittelstaedt <tedm at toybox.placo.com> wrote:
>>
>> Unfortunately particularly with the older Cisco devices (like the 1600
>> series)
>> Cisco's security fixes often entail having to update to IOS
>versions that
>> are
>> larger than what the original ram and flash are that came in
>the system.
>>
>> For example, 1600 R series that came with 4MB flash/8MB ram no longer
>> have a 12.0 series of IOS that they can run that is without security
>> holes.
>>
>> 2500's with 8MB flash/4MB ram are in the same boat.
>>
>> As a result you may need to backflash to older IOS release
>trains to get
>> a security-fixed IOS that fits in the ram/flash - assuming
>that is that
>> your
>> device isn't using any of the advanced features in the newer IOS (like
>> address
>> translation for example)  Or replace the router.  Or try scrounging
>> around on
>> Ebay or some such for parts (try buying 1600 ram chips new that will
>> work in a 1600, har har!)
>>
>> You could possibly write a script using snmp that would query every
>> device
>> in your network looking for your routers, and report back the IOS
>> version - if
>> you have enabled snmp on all your devices, of course - but it
>still takes
>> some
>> human intelligence to look at each device, see what it's
>doing and where
>> it is,
>> whether the IOS version on it has vulnerabilities that are
>exploitable in
>> the
>> location it's in, and what you can do about it.
>>
>> This is why we get paid the big bucks.  There are parts of
>the job that
>> do
>> requirel some actual real work to be done. ;-)
>>
>> Ted
>>
>> >-----Original Message-----
>> >From: cisco-nsp-bounces at puck.nether.net
>> >[mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of
>> >Jean-Christophe Varaillon
>> >Sent: Friday, August 19, 2005 3:03 AM
>> >To: cisco-nsp at puck.nether.net
>> >Subject: [c-nsp] Quick IOS security check
>> >
>> >
>> >Hi,
>> >
>> >I have a list of the 100 Cisco devices that we have on our
>network with
>> >their corresponding IOS.
>> >
>> >I am looking for a quick way to see which device should be
>upgraded due
>> >to IOS security issues (not bug issues).
>> >
>> >From
>>
>http://www.cisco.com/en/US/customer/products/products_security_advisorie
> >s_listing.html, we have the list of security issues, but, manually, it
> >would take very long to see which of the 100 devices has
vulnerabilities
> >and should be upgraded.
> >
> >Is there any tool available from Cisco site where I would enter the
IOS
> >string name and where it would give me the list of vulnerabilities and
> >the recommended IOS upgrade?
> >
> >Would CiscoWorks be of any help to achieve this quick security check?
> >
> >Any comments/suggestions are welcome!
> >
> >Thank you,
> >
> >Christophe
> >
> >_______________________________________________
> >cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >https://puck.nether.net/mailman/listinfo/cisco-nsp
> >archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> >--
> >No virus found in this incoming message.
> >Checked by AVG Anti-Virus.
> >Version: 7.0.338 / Virus Database: 267.10.13/78 - Release Date:
> >8/19/2005
> >
> --
> No virus found in this outgoing message.
> Checked by AVG Anti-Virus.
> Version: 7.0.338 / Virus Database: 267.10.13/78 - Release Date:
8/19/2005
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

--
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.338 / Virus Database: 267.10.13/78 - Release Date: 8/19/2005

--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.338 / Virus Database: 267.10.13/78 - Release Date: 8/19/2005



More information about the cisco-nsp mailing list