Cisco IOS Router Exploitation - Transit Vulnerabilities

 From the attack vector point of view, the most powerful vulnerability class in Cisco IOS are vulnerabilities, which can be triggered by traffic passing through the router. For the sake of terminology, we will call them Transit Vulnerabilities.

Transit Vulnerabilities are extremely rare. Any router is built with the goal of forwarding traffic as fast as possible from one interface to another. Consequently, the number of bytes per packet that are inspected before making the forwarding decision is kept to an absolute minimum. In any routing device above the access layer class, routing decisions can often be taken on the interface or line card already. In those cases, only the first packet of a communication is inspected by higher level software and all following packets are processed in hardware, hereby eliminating the need to even inform the main CPU of the machine that a packet passed through the system.

Considering the above, there are situations in which a packet gets “punted”, which is Cisco slang for pushing packets up from fast forwarding mechanisms like CEF to “process switching” or “fast switching”, which use the main CPU for forwarding decisions. Such situations of course include all traffic destined for one of the router's interface addresses, but this wouldn't be transit traffic. More interesting cases are IP fragment reassembly, packets with IP options as well as IPv6 packets that feature hop-byhop headers, which need to be processed

So far, no true Transit Vulnerability is known to the author. If one would be discovered and successfully exploited, it's effects would be devastating, especially if the vulnerability is triggered after the forwarding decision was made and the traffic is forwarded to the next hop.