Hackers Exploit Cisco Software Flaw

Cisco Systems Logo
A day after Cisco Systems Inc. warned of a serious software flaw in networking gear that routes Internet traffic, researchers said hackers had figured how to cripple the equipment.

There were no immediate reports of outages, but that was expected to change, the Computer Emergency Response Team, a taxpayer-funded group at Carnegie Mellon University, said Friday in an advisory.

"This exploit allows an attacker to interrupt the normal operation of a vulnerable device," the CERT advisory said. "We believe it is likely that intruders will begin using this or other exploits to cause service outages."

Internet security companies boosted their threat assessment levels, and government agencies also repeated warnings.

Spokesman Bill Murray said the FBI was monitoring the situation and promised "a thorough investigation into the exploit that is out there." Murray works with the FBI's Cybercrimes Division at the agency's Washington headquarters.

On Thursday, operators of Internet backbone and other companies scrambled to patch the flaw, which could cause widespread outages because Cisco routers and switches are so prevalent on the Internet.

"This exploit was created not as a proof of concept — it was created to exploit the vulnerability and cause damage," said Dan Ingevaldson, engineering manager for ISS' X-Force research development group. "We presume hackers went to work as soon as they heard about it."

Cisco did not immediately comment on the exploit. The San Jose-based network gear maker earlier released a workaround as well as a free patch to fix the flaw in its widely used Internetwork Operating System.

Internet providers, meanwhile, quickly scheduled maintenance downtime to install the patch.

According to Cisco's alert, the vulnerability is exploited by sending a "rare sequence" of data packets to a device running IOS, the equivalent of Windows for routers and switches. It causes the device to stop processing traffic once its incoming queue is full.

The attack, which spokesman Jim Brady said Cisco discovered through internal testing, does not trigger any alarms and can be repeated until the device is inaccessible.

"This type of attack can be launched at a specific target, or launched indiscriminately to cause widespread outages," according to an alert issued by Internet Security Systems.

An unusually high number of emergency maintenance outages have been scheduled by Internet carriers and providers since Tuesday, Ingevaldson said.

Large Internet traffic carriers, such as AT&T, MCI and Sprint, have taken measures. Dave Johnson, a spokesman for AT&T, said the company was alerted by Cisco on Tuesday night.

Network administrators who manage Cisco equipment are more likely to pay attention to security warnings than home computer users. Still, applying a patch to a router is not a trivial operation, Ingevaldson said.