Cisco IOS leak means admins should monitor routers

See what is known about the recent disclosure of the Cisco source code and what it means for admins, and get info on other pressing security threats.

As you may have heard, the source code of Cisco's IOS—which runs the routers that power many corporate networks and much of the Internet—was recently stolen and illegally divulged in the public arena. The threat level due to this disclosure is unknown, but is potentially extremely high. Administrators that manage Cisco equipment should monitor their routers and switches with extra caution over the short term.

As detailed in the "Also watch out for" section at the bottom of this article, there are also several new Windows-related vulnerability reports and new exploits of older threats that have emerged. It's not entirely clear just how serious they are at this time, but they have the potential to become quite serious, if only because there are known and published exploits that make them accessible to script kiddies. In addition, there is a new, highly critical Mac OS X vulnerability.


The FBI is currently investigating the theft and publication on the Full-Disclosure security mailing list of a significant amount of what is thought to be the proprietary firmware code used in Cisco routers and switches.

After a weekend of rumors, denials, and suspicions that the whole thing was nothing more than a hoax, the IDG News Service reported on May 18, 2004, that copies of the Cisco IOS source code had appeared on the Internet after apparently having been stolen from a compromised Sun server on Cisco's corporate network.

The amount of code exposed to hackers seems to have been as much as 800 megabytes, so it is particularly difficult to quickly determine just what vulnerabilities might be found by hackers going over that amount of code with a fine tooth comb.

A post on the Russian security Web site reports to have seen about 2.5 MB of the code, which was supposedly hacked code, from version 12.3 of the IOS.

ZDNet reports that what was actually stolen was some source code, in the form of two raw C programming files, one of them dated 1996 and the other dated 2003.

The fact that very little of the supposedly stolen code has actually been seen circulating in chat rooms or elsewhere may indicate that the claims are exaggerated, but it could also mean that this code was stolen by serious hackers with a commercial or criminal motive.

Risk level – Unknown

At this time there are far more questions than answers available, which in some ways, is even worse than knowing what information may have been compromised, because administrators can't fully judge the threat level. They can only carefully watch all Cisco hardware to monitor for suspicious activity.

Final word

This Cisco code disclosure follows on the heels of Microsoft's source code disclosure earlier in the year. That sent a lot of administrators (not to mention Microsoft) into a nervous fit. Although no serious exploits have ever shown up that are related to vulnerabilities discovered in that Windows code, there still exists the possibility that something serious will develop.

There is an ongoing debate as to just how serious that security breach was but it's clear that it wasn't a high point in Microsoft's security efforts.

Whether or not malicious people get copies of the stolen Cisco software and are able to discover serious vulnerabilities that can be widely exploited, the mere fact that confidential firmware has been disclosed must weigh heavily on Cisco administrators until or unless it can be absolutely proven, not just claimed, that this doesn't constitute a serious security breach.

In the never-ending debate of open source versus proprietary software, when it comes to security one thing is abundantly clear, once proprietary code is exposed to attackers, it becomes considerably less secure than open source software, where it is at least possible for administrators to examine the source code for themselves. One of the main security pillars that proprietary software relies on is its very secrecy.

Also watch for …

  • Security firm eEye has reported a critical vulnerability in Apple's QuickTime software that can allow remote code execution. The problem was reported to Apple in February 2004 and a patch is now available.
  • Apple's Mac OS X operating system has yet another highly critical vulnerability in addition to the one reported in the May 17, 2004 Locksmith column. A Secunia report details the new, highly critical vulnerability and another slightly less dangerous threat, both of which were initially reported by lixlpixel to Apple on February 23, 2004; lixlpixel says Apple finally responded to this notification on May 20, 2004. The most troubling part to many security experts is the way Apple keeps explaining away these vulnerabilities by saying they are not anywhere near as serious as people are claiming—apparently based, not on the seriousness of the vulnerabilities, but simply on the fact that no one appears to be attacking Macs. MacWorld UK recently reported a malicious attack circulating that would delete a user's Home folder using some recently disclosed Mac OS X vulnerabilities. The attack is disguised as a Word 2004 demo. Apple criticized Intego, the discoverer of the Trojan threat exploited by this malware, as overreacting and is currently downplaying the malware's danger by pointing out that it isn't technically a virus. That is small comfort to any Mac users who have had their Home folders wiped out.
  • SecurityFocus reports that a DoS vulnerability exists when Internet Explorer uses the "window.createPopup() method to invoke the heep equiv meta tag." A simple proof of concept has been published.
  • SecurityTracker reports that an exploit has also been published for a threat to Outlook 2003, which bypasses the scripting restrictions that would normally protect systems. This would allow a malicious e-mail to execute arbitrary code if the e-mail message is opened. There doesn't appear to be any workaround or other steps you can take to prevent this (obviously other than not using Outlook 2003).
  • The new Lovegate worm uses a very tricky (probably unique) method to spread; certainly I've never run across this precise combination of propagation methods before. It seems that Lovegate replies to the unanswered e-mail that is sitting in your MAPI-compliant (namely Outlook) mailbox. Klez also utilized an auto-responder but didn't include the mass mailing feature of Lovegate, and Klez was around for a very long time. Auto-responder attacks are among the most persistent of threats. It shouldn't be necessary to explain in detail the obvious dangers posed by such a worm. These range from triggering massive spam attacks by confirming addresses to posing as entirely legitimate responses—it's pretty easy for most of us to spot spam when it comes packaged as a reply to a subject line message we've never sent, but how about when it looks exactly like a legit response? InformationWeek has a report on this.
  • A Secunia Advisory warns of a new privilege escalation vulnerability in Windows 2000 and Windows XP. The threat lies in desktop.ini files that may contain CLSID references to arbitrary executables. As of the latest round of Microsoft security patches, this threat hadn't been patched.
  • New worms, in particular bobax and kibuv, are exploiting known Windows vulnerabilities for which patches are already published in Microsoft Security Bulletin MS04-011. Both appear to be causing heavy traffic on TCP port 5000 (Universal plug-n-play) and are trying to take over computers in order to spread spam.

Editor's Picks

Free Newsletters, In your Inbox