A paper presented at a security conference in Europe over the weekend has Cisco and the security community debating the reality of rootkits over the Cisco Internetwork Operating System (IOS) network. Devices affected include routers and voice over IP phones.
At the EUSecWest conference in London, Core Security researcher Sebastian Muniz presented what he called the "Da IOS Rootkit," a binary modification to the IOS image. "The main feature of Da IOS Rootkit is the universal password," Muniz said in an interview on the EUSecWest Web site. "Every call to the different password validation routines grant access to the user if the unique rootkit password is specified."
In anticipation of Muniz's talk, Cisco published three critical patches last week.
In response to the presentation, the company has published a set of best practices. Cisco noted that "no new vulnerability on the Cisco IOS software was disclosed during the presentation. To the best of our knowledge, no exploit code has been made publicly available, and Cisco has not received any customer reports of exploitation."
Security researchers have met in the past with mixed results from Cisco. In February, John Kindervag and Jason Ostrom, both of Vigilar, talked about how to take advantage of lobby phones using Cisco IOS. There was no follow-up by Cisco. And in 2005, security researcher Michael Lynn was legally barred from presenting a talk on remote exploits involving Cisco IOS. Lynn gave part of the talk anyway but later signed an agreement never to talk about the specifics of his exploit again.