Breaking News

Saturday, 21 May 2022

Cisco IOS Router Exploitation - Service Vulnerabilities

 In the realm of network leaf nodes, vulnerabilities in network exposed services are the most powerful points of entry for the attacker. A network exposed service suffering from a memory corruption vulnerability, preferably before performing any authentication, is the primary target for any exploit developer. Since the purpose of any server on the network is to expose services, attackers have historically focused their efforts onto finding vulnerabilities in them.


With the widespread adoption of firewalls, for both enterprise networks and personal computers, the exposure of potentially vulnerable services has massively decreased. Attacker focus has shifted onto the client-side, where untrusted data is constantly handled by a human user, may it be through the delivery of email attachments or through visiting a web site. Attackers can execute even more control over a human controlled web browser than they can over an autonomously running service.

Cisco IOS can operate as a network server and network client respectively. IOS network services include a HTTP server for configuration and monitoring, a HTTPS server for the same purpose, Telnet and SSH remote access, a FTP and a TFTP server for remote flash file system access. Memory corruption vulnerabilities in the HTTP, FTP and TFTP services have been identified in the past and proof-of-concept exploits have been developed and published.

For attackers seeking to gain control of important network infrastructure, such services are not of interest, as well-managed networks will not make use of such services on their core routing infrastructure.

Routers also need to expose services specific to their purpose. This includes services for routing protocol communication (EIGRP, OSPF, ISIS, BGP) as well as network support services, such as DHCP relaying and IPv6 router discovery. In contrast to the aforementioned HTTP and FTP servers, these services are required in most network designs and will be available on a large portion of the networking equipment. However, as most routing protocol services are vulnerable to spoofed routing protocol announcements (unless configured to use MD5 authentication), they are often guarded and rarely exposed to remote networks, e.g. the Internet.

 The Cisco IOS implementation of the BGP service is a good example, in which the service will not be visible as such to any remote network node. BGP requires a TCP session between two configured peers. If such TCP session is requested from a system not configured as a peer on Cisco IOS, the router will respond with a TCP RST packet, exactly as if the service is not available or configured on the router at all. This simple design reduces the attack surface of the BGP service on Cisco IOS to attacks from systems that were configured as peers by the networking engineer.

Other routing specific services, such as OSPF and EIGRP, require the network traffic to be received on an IPv4 multicast address, effectively making sure that the sender is within the same multicast domain as the receiving router. For an attacker on the Internet, such services are of little use as targets, since they are effectively not reachable from the attackers position.

A notable exception from this list is the Cisco IOS IP options vulnerability3 , where the handling of several IPv4 protocols was implemented incorrectly. Here, the protocols affected were commonly handled when addressed to an IOS router (e.g. ICMP echo requests) and the code generating the response was suffering from a memory corruption vulnerability in the form of a stack based buffer overflow. It is those rare vulnerabilities in services that every network uses and that are reachable all the way across the Internet, that pose a significant threat to Cisco IOS.

In the recent past, Cisco has started to add enterprise and carrier services to IOS that will be implemented more widely once the IOS versions incorporating them are considered stable enough by networking engineers. Those new services include4 a rapidly growing set of VoIP services, Lawfull Interception, SSL VPN termination, Web Service Management Agent (allowing configuration of Cisco IOS through a SOAP Web Service), XML-PI and H.323. The more these services are adapted in  enterprise and carrier networks, the more attack surface the individual routers expose.


0 comments:

Post a Comment

'; (function() { var dsq = document.createElement('script'); dsq.type = 'text/javascript'; dsq.async = true; dsq.src = '//' + disqus_shortname + '.disqus.com/embed.js'; (document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(dsq); })();
'; (function() { var dsq = document.createElement('script'); dsq.type = 'text/javascript'; dsq.async = true; dsq.src = '//' + disqus_shortname + '.disqus.com/embed.js'; (document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(dsq); })();