March 29, 2004 3:17 PM PST

Code attacks Cisco vulnerabilities

Cisco Systems issued a security warning this weekend to customers after new software code was published on the Internet that targeted certain vulnerabilities on several of its networking products.

The software code, written by a group of teenagers in Italy calling themselves the "BlackAngels," exploits nine vulnerabilities found in Cisco's Internetwork Operating System (IOS). This software runs on most of Cisco's products, including its Catalyst Ethernet switches and Internet Protocol routers.

Many of the vulnerabilities exposed in the new software tool have already been identified and addressed by Cisco. Some of them were identified as far back as 2000. As these problems were discovered, Cisco published software upgrades and workaround scenarios to help customers protect their networks from malicious attacks.


Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.


While the vulnerabilities have been known for some time, the program, called the "Cisco Global Exploiter," makes exploiting them much easier by providing simple streams of code. After the code was published, Cisco posted a warning on its Web site on Saturday. It also provided links to vulnerabilities that had already been discovered.

"Customers should take steps to ensure that they have addressed each of these either via a software upgrade or workarounds in place as appropriate in order to mitigate any risk from this new exploit code," the company said on its Web site.

Most of the vulnerabilities make Cisco routers and switches more susceptible to distributed denial-of-service attacks. These attacks occur when hackers take control of servers and flood the network with millions of packets, which eventually cripple devices like switches and routers that try to process all the packets.

The BlackAngels, who describe themselves on their Web site as "a group of Italian teenager boys" who are "expert in the network security field and programming," stated that they do not take any responsibility for "incorrect or illegal use of this software or for eventual damages to others systems." The group has written the code in an effort to bring more awareness to security flaws, according to the site.

Members of the BlackAngels were not available for comment.

A Cisco representative said the company is not aware of any active attacks on the vulnerabilities. The company also said it is working closely with its customers and industry organizations to address the issues.

Bugs in Cisco's IOS software are common, and the company often publishes news about ways to work around these vulnerabilities. This past summer, it announced it had discovered a bug in IOS running on its carrier class routers that exposed them to denial-of-service attacks. In December 2003, the company reported vulnerabilities in IOS running on some of its wireless products.

Security is a main area of focus for Cisco lately as it beefs up its portfolio of security products. The company recently announced that it is buying Riverhead Networks for $39 million. The start-up makes an appliance designed to protect enterprise networks from denial-of-service attacks.

4 comments

Join the conversation!
Add your comment
Programmer requirements: Total idiot!
It looks like programmers and their companies don't care if their products work or not. Maybe before IT companies come out with new versions of their time bombs, they should try to make their current version work without it puking all over itself and anyone using it. Software has become one big joke. Security tools with security issues, patch-a-day operating systems, and a ton of other venomous software. The consumer must love to live dangerously. I can see now what the thrill of computers is all about, living dangerously, on the edge knowing any minute that your IT is going to be hacked and your careers work will end up in alphabet heaven. WOW! Gambling with your future is an awesome rush! I'm glad I finally figured out what this IT business is all about. Silly me, I thought it was about information. Well gotta go. I need to go get the latest OS out, I hear that the risks are so big and so plentiful it's better than playing Russian Roulette with five out of six chambers loaded. Rad!
Posted by bjbrock (98 comments )
Reply Link Flag
Programmer requirements: Total idiot!
It looks like programmers and their companies don't care if their products work or not. Maybe before IT companies come out with new versions of their time bombs, they should try to make their current version work without it puking all over itself and anyone using it. Software has become one big joke. Security tools with security issues, patch-a-day operating systems, and a ton of other venomous software. The consumer must love to live dangerously. I can see now what the thrill of computers is all about, living dangerously, on the edge knowing any minute that your IT is going to be hacked and your careers work will end up in alphabet heaven. WOW! Gambling with your future is an awesome rush! I'm glad I finally figured out what this IT business is all about. Silly me, I thought it was about information. Well gotta go. I need to go get the latest OS out, I hear that the risks are so big and so plentiful it's better than playing Russian Roulette with five out of six chambers loaded. Rad!
Posted by bjbrock (98 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.