The built-in CBOS software for the Cisco 600 Series of routers has multiple, significant, and serious security faults, which were built into the controlling software. The problems include predictable TCP sequential numbering, passwords stored in clear text, and other faults. These are not bugs but design flaws and can pose a real threat to the security of sites relying on these routers.

Here is a list of the design flaws:

  • NVRAM stores some passwords in plaintext.
  • Multiple large ECHO REPLY packets cause the Cisco 600 router to enter the ROMMON mode and essentially shut down.
  • An ICMP ECHO REQUEST packet with the record route option (the –r option on many standard ping requests) can cause the Cisco 600 router to shut down.
  • Some CBOS software versions have a flaw that makes it possible to predict TCP Initial Sequence Numbers.

The following releases of CBOS software for Cisco 600 routers contain the above listed vulnerabilities: 2.0.1, 2.1.0, 2.1.0a, 2.2.0, 2.2.1, 2.2.1a, 2.3, 2.3.2, 2.3.5, 2.3.7, and 2.3.8.

The problems were fixed in CBOS releases: 2.3.9, 2.4.1, and 2.4.2.

According to Cisco, router models which used the affected software are: 627, 633, 673, 675, 675E, 677, 677i and 678.

Threat level—various
There are so many problems here that it’s difficult to assess the overall threat level, but it is definitely significant. For example, anyone who has access to view a router’s configuration can obtain the plaintext (nonencrypted) EXEC and ENABLE passwords, allowing them to easily change the router’s configuration.

Considering that some managers have endeavored to simplify their maintenance tasks by using the same passwords for multiple devices, this vulnerability alone could result in networks getting shut down or lead to even greater mischief. The only upside is that many diligent IT managers already knew about this problem (Cisco bug ID CSCdt04882) and even those who didn’t follow the discussion groups on this problem at least knew better than to use the same passwords on multiple devices. Thus, the damage from this flaw could be somewhat limited for those installations that follow good security procedures.

The ECHO REQUEST (ping –r) problem can cause a denial of service event. Multiple ECHO REPLY packets larger than 64 bytes passing through the device can also trigger a denial of service event.

The TCP numbering flaw opens up a lot of vulnerabilities. First, it could allow outsiders to send forged packets, which would be accepted as authentic. But malicious actions launched from inside the network could be even worse because packets could be intercepted, read, modified, and forwarded.

Obviously, these could be pretty severe threats, depending on the installation. In fact, even one of these flaws could be devastating, let alone all of them taken together.

The only fix is to upgrade to newer versions that have had the flaws removed. There are no workarounds or patches to address any of these problems.

CBOS releases 2.3.9, 2.4.1, and 2.4.2 are already available; 2.4.1 on Dec. 11, 2000, 2.3.9 on March 19, 2001, and 2.4.2 on May 14, 2001. But Cisco only made the public notice of these multiple problems on May 22, 2001, so many managers may have ignored the new releases not realizing how important they are.

How do you feel about Cisco 600 Series routers?

Are you going to make the fix? Are you considering replacing the routers? We look forward to getting your input and hearing about your experiences regarding this topic. Join the discussion below or send the editor an e-mail.