[Dshield] Cisco IOS Heap-based Overflow Vulnerability in SystemTimers

Carloscar Andréasson karlblau at volvo.se
Thu Nov 10 10:26:45 GMT 2005

Hi everyone.

How do you Guys/Girls target this??.. are you mass upgrading all your 
routers/switches ...?
In my organization we are in a kinda moment 22 situation. If we were/are 
to upgrade all
routers/swithces running IOS software,we would result in doing so to 
ower > 1000 devices
That would take alot of time and hard testing before even trying... and 
even after testing there will shurly
be some problems that one could try and test in the lab before uppgrading.
 From the little info released from cisco about this you dont realy know 
how serious to take
the advisery.

I know that if there would to be a success full exploit of this , it 
would be come larger then
anything else we ever seen regading the impact of the 
worm/virus/etc...,  And from what i can understand
there are some info thats point to that there will come an sufficient 
exploit for this.

But then on the other side , If this would be critical ( wich is my 
personal though ) wouldnt sans,cert,etc
Target this vunarbilty higher??.. i havent seen much written about this 
since the first notice..

/Br Carl

Stephane Grobety wrote:

>I read the deatils and here is what I understood:
>IOS iomplements some safeguards against memory corruption. However,
>these safeguards are not effective at protecting a specific section of
>the memory used by system timers. However, it doesn't create a new
>attack vector.
>So, in order to exploit it, an attacker must first exploit another
>flaw in the system that allows him to overwrite the memory used by the
>IOS system timers. If he overwrites and other part of the memory, the
>system integrity check with crash the router.
>In short: it means that some attacks that previously where known to be
>"simply" DOS can actually be exploited to run arbitrary code. This
>isn't exactly the end of the world as we know it though it IS of some
>However, this might put the fact that a critical portion of the net
>runs on top of IOS in the spotlight. If someone actually manages to
>write a worm that can sucessfully exploit IOS software, we might
>actually have that "doomsday worm" that would shut Internet down
>for some time.
>And this leads me to the following question: What would be the impact
>of such a worm ? From my point of view, I don't think that the loss
>(for my company) would be really large: although we do have critical
>business functions that are depending on Internet, we also have
>contingency plans that would allow these to switch to backup channels
>such as direct modem dial-up within in about 24 hours. But one thing
>still unknown is how much of the phone system would still stand if the
>net went down.
>Opinions ? remarks ?
>Good luck,
>Using .Net? Need to know more about .Net Security?
>send all posts to list at lists.dshield.org
>To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

More information about the list mailing list