March 29, 2004 3:17 PM PST

Code attacks Cisco vulnerabilities

Cisco Systems issued a security warning this weekend to customers after new software code was published on the Internet that targeted certain vulnerabilities on several of its networking products.

The software code, written by a group of teenagers in Italy calling themselves the "BlackAngels," exploits nine vulnerabilities found in Cisco's Internetwork Operating System (IOS). This software runs on most of Cisco's products, including its Catalyst Ethernet switches and Internet Protocol routers.

Many of the vulnerabilities exposed in the new software tool have already been identified and addressed by Cisco. Some of them were identified as far back as 2000. As these problems were discovered, Cisco published software upgrades and workaround scenarios to help customers protect their networks from malicious attacks.


Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.


While the vulnerabilities have been known for some time, the program, called the "Cisco Global Exploiter," makes exploiting them much easier by providing simple streams of code. After the code was published, Cisco posted a warning on its Web site on Saturday. It also provided links to vulnerabilities that had already been discovered.

"Customers should take steps to ensure that they have addressed each of these either via a software upgrade or workarounds in place as appropriate in order to mitigate any risk from this new exploit code," the company said on its Web site.

Most of the vulnerabilities make Cisco routers and switches more susceptible to distributed denial-of-service attacks. These attacks occur when hackers take control of servers and flood the network with millions of packets, which eventually cripple devices like switches and routers that try to process all the packets.

The BlackAngels, who describe themselves on their Web site as "a group of Italian teenager boys" who are "expert in the network security field and programming," stated that they do not take any responsibility for "incorrect or illegal use of this software or for eventual damages to others systems." The group has written the code in an effort to bring more awareness to security flaws, according to the site.

Members of the BlackAngels were not available for comment.

A Cisco representative said the company is not aware of any active attacks on the vulnerabilities. The company also said it is working closely with its customers and industry organizations to address the issues.

Bugs in Cisco's IOS software are common, and the company often publishes news about ways to work around these vulnerabilities. This past summer, it announced it had discovered a bug in IOS running on its carrier class routers that exposed them to denial-of-service attacks. In December 2003, the company reported vulnerabilities in IOS running on some of its wireless products.

Security is a main area of focus for Cisco lately as it beefs up its portfolio of security products. The company recently announced that it is buying Riverhead Networks for $39 million. The start-up makes an appliance designed to protect enterprise networks from denial-of-service attacks.

4 comments

Join the conversation!
Add your comment
Programmer requirements: Total idiot!
It looks like programmers and their companies don't care if their products work or not. Maybe before IT companies come out with new versions of their time bombs, they should try to make their current version work without it puking all over itself and anyone using it. Software has become one big joke. Security tools with security issues, patch-a-day operating systems, and a ton of other venomous software. The consumer must love to live dangerously. I can see now what the thrill of computers is all about, living dangerously, on the edge knowing any minute that your IT is going to be hacked and your careers work will end up in alphabet heaven. WOW! Gambling with your future is an awesome rush! I'm glad I finally figured out what this IT business is all about. Silly me, I thought it was about information. Well gotta go. I need to go get the latest OS out, I hear that the risks are so big and so plentiful it's better than playing Russian Roulette with five out of six chambers loaded. Rad!
Posted by bjbrock (98 comments )
Reply Link Flag
Thats a little extreme, but I see your point
>It looks like programmers and their companies
>don't care if their products work or not.

That is both wrong and right at the same time. From my experience, often companies don't mind a few bugs, but programmers never like bugs. It makes them look bad, and if their code often has bugs, they gain a reputation for it, and often have a harder time finding jobs due to that.

>Software has become one big joke. Security tools
>with security issues, patch-a-day operating
>systems, and a ton of other venomous software.

The major problem isn't that they are released with bugs, its that in a controlled environment, its nearly impossible to find all the bugs. Bugs are a pure fact of software, and a good programmer knows that. A great programmer is someone who knows how to find bugs, and fix them. And operating systems are about the biggest piece of software you can make. There are so many different factors, that I believe it to be IMPOSSIBLE for an operating system to ever be released that is bug free.

And the venomous software, is just that. Either virus's that are programmed to break things, or software so badly made you would have thought it was ment to be bad. In the case of corporate venomous software, quite often its the companies fault, not the programmer. They all see a way to make a quick buck, so they do, regardless what their programmers tell them.

>Well gotta go. I need to go get the latest OS
>out, I hear that the risks are so big and so
>plentiful it's better than playing Russian
>Roulette with five out of six chambers loaded.
>Rad!

I must commend you on that statement. Very well written!

Kyle King
Posted by (19 comments )
Link Flag
Programmer requirements: Total idiot!
It looks like programmers and their companies don't care if their products work or not. Maybe before IT companies come out with new versions of their time bombs, they should try to make their current version work without it puking all over itself and anyone using it. Software has become one big joke. Security tools with security issues, patch-a-day operating systems, and a ton of other venomous software. The consumer must love to live dangerously. I can see now what the thrill of computers is all about, living dangerously, on the edge knowing any minute that your IT is going to be hacked and your careers work will end up in alphabet heaven. WOW! Gambling with your future is an awesome rush! I'm glad I finally figured out what this IT business is all about. Silly me, I thought it was about information. Well gotta go. I need to go get the latest OS out, I hear that the risks are so big and so plentiful it's better than playing Russian Roulette with five out of six chambers loaded. Rad!
Posted by bjbrock (98 comments )
Reply Link Flag
Thats a little extreme, but I see your point
>It looks like programmers and their companies
>don't care if their products work or not.

That is both wrong and right at the same time. From my experience, often companies don't mind a few bugs, but programmers never like bugs. It makes them look bad, and if their code often has bugs, they gain a reputation for it, and often have a harder time finding jobs due to that.

>Software has become one big joke. Security tools
>with security issues, patch-a-day operating
>systems, and a ton of other venomous software.

The major problem isn't that they are released with bugs, its that in a controlled environment, its nearly impossible to find all the bugs. Bugs are a pure fact of software, and a good programmer knows that. A great programmer is someone who knows how to find bugs, and fix them. And operating systems are about the biggest piece of software you can make. There are so many different factors, that I believe it to be IMPOSSIBLE for an operating system to ever be released that is bug free.

And the venomous software, is just that. Either virus's that are programmed to break things, or software so badly made you would have thought it was ment to be bad. In the case of corporate venomous software, quite often its the companies fault, not the programmer. They all see a way to make a quick buck, so they do, regardless what their programmers tell them.

>Well gotta go. I need to go get the latest OS
>out, I hear that the risks are so big and so
>plentiful it's better than playing Russian
>Roulette with five out of six chambers loaded.
>Rad!

I must commend you on that statement. Very well written!

Kyle King
Posted by (19 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.