Defense in Depth

A paper presented at a security conference in Europe over the weekend has Cisco and the security community debating the reality of rootkits over the Cisco Internetwork Operating System (IOS) network. Devices affected include routers and voice over IP phones.

At the EUSecWest conference in London, Core Security researcher Sebastian Muniz presented what he called the "Da IOS Rootkit," a binary modification to the IOS image. "The main feature of Da IOS Rootkit is the universal password," Muniz said in an interview on the EUSecWest Web site. "Every call to the different password validation routines grant access to the user if the unique rootkit password is specified."

In anticipation of Muniz's talk, Cisco published three critical patches last week.

In response to the presentation, the company has published a set of best practices. Cisco noted that "no new vulnerability on the Cisco IOS software was disclosed during the presentation. To the best of our knowledge, no exploit code has been made publicly available, and Cisco has not received any customer reports of exploitation."

Security researchers have met in the past with mixed results from Cisco. In February, John Kindervag and Jason Ostrom, both of Vigilar, talked about how to take advantage of lobby phones using Cisco IOS. There was no follow-up by Cisco. And in 2005, security researcher Michael Lynn was legally barred from presenting a talk on remote exploits involving Cisco IOS. Lynn gave part of the talk anyway but later signed an agreement never to talk about the specifics of his exploit again.

On Wednesday, Cisco Systems issued three patches for critical vulnerabilities affecting Cisco Internetwork Operating System (IOS). The most serious of these affects the Cisco Voice Portal and the Secure Shell server (SSH) implementations.

Cisco says the first patch covers a vulnerability that exists in the Cisco Unified Customer Voice Portal (CVP) , which provides customer voice and video self-service integration. If the vulnerability is exploited, an authenticated user can create, modify, or delete a superuser account. In other words, successful exploitation may result in full control of the system.

The second patch covers the Secure Shell server (SSH) implementation in Cisco IOS, which contains multiple vulnerabilities. Exploitation may allow unauthenticated users to generate a spurious memory access error or, in certain cases, reload the device. Cisco notes that the IOS SSH server is an optional service that is disabled by default, but says its use is recommended as a security best practice for management of Cisco IOS devices.

According to Cisco, the third patch addresses three Secure Shell (SSH) vulnerabilities that exist in the Cisco Service Control Engine (SCE) that may result in system instability or a reload of the SCE. Cisco says the first vulnerability may be triggered during SSH log-in activity with brute force. The second vulnerability may be triggered with normal SSH log-in activity combined with simultaneous other SCE management actions. The third vulnerability may occur during SSH log-in using unique invalid authentication credentials.

Attacks against VoIP systems are becoming popular. At this year's Shmoocon, John Kindervag, senior security architect for Vigilar, said that public waiting areas in hospitals, conference rooms, and hotel rooms are particularly vulnerable to these kinds of attacks.

Bottom line: if you're running Cisco IOS, get the updates today.

WASHINGTON--Two security researchers at ShmooCon demonstrated on Saturday how a laptop connected to a VoIP telephone could, in some cases, expose a business' internal network to outsiders.

John Kindervag, senior security architect for Vigilar, said that public waiting areas in hospitals, conference rooms, and hotel rooms are particularly vulnerable to this attack since often there is no IT staff around. Appearing on stage at the East Coast computer hacker conference with Kindervag was Jason Ostrom, manager of Vigilar's Vulnerability Assessment and Compliance Practice team, who used the ShmooCon conference to show off his latest version of VoIP Hopper, a tool he uses for penetration testing of companies that are running voice over IP phone systems.

Kindervag said that VoIP was gaining acceptance with large companies and organizations for many reasons: there are no toll calls over the Internet; there's less cabling involved; employees can move offices without having to rewire or change switching operations for their phones; and finally, voice mail notices can appear in one's Outlook inbox. "This is very popular among CIOs," Kindervag said.

But Ostrom's tool allows one to hook up a laptop computer to a public VoIP phone and connect to the company's or organization's internal network with full administrator access. VoIP Hopper can be used to intercept Cisco Discovery Protocol (CDP), which announces the device type and the SNMP agent address of neighboring devices, and automatically create a new ethernet device. This could allow someone to map or otherwise do damage to a company's network from a public waiting area. The tool also allows one to physically remove the phone and have a laptop spoof the phone's MAC address, so the network is unaware that a laptop has replaced the expected phone.

To prevent such attacks, the researchers recommend turning off CDP. They also recommend disabling port 2 on any public VoIP phone, and include the public phone within a firewall.