Time to patch your Cisco routers

Time to patch your Cisco routers

Summary: While Cisco isn't alone in upgrade complexity, the end result is that most end users never patch their routers and switches and just assume they never needs patching. This probably won't change until a conventional PC worm makes the jump to attack IOS vulnerabilities and causes massive damage.


Three months after the scandal at the Black Hat conference, Cisco finally confirmed the existence of some serious vulnerabilities that Michael Lynn warned about when he demonstrated the ability to hack in to Cisco routers back in July.  While the specifics were never made clear during the Black Hat conference, it was thought that Cisco had already fixed the issues with their IPv6 patch but now it's clear that the problems affecting Cisco IOS were much deeper.  In response, Cisco issued this advisory warning all Cisco customers to upgrade their routers with the latest IOS.

What this means is that everyone needs to upgrade each and every Cisco router they own including some of their Cisco switches that have routing capability.  The good news is that there are no publicly available exploits for this vulnerability yet (doesn't prove nonexistence) and that Cisco has provided their customers with Smartnet contracts a complete set of upgraded IOS images for every affected device.  Customers who don't have Smartnet contracts can obtain a free fix by calling the Cisco Technical Assistance center and they can get the phone numbers here.

The bad news is that a lot of smaller shops who don't have professional network engineers on staff have no idea how to upgrade their Cisco IOS devices.  While network professionals may be used to the complexity, mere mortals are overwhelmed with a massive matrix of IOS trains and feature-sets.  There isn't just a simple "upgrade" command on the routers that will automatically download and patch themselves let alone an auto-update feature.  While Cisco isn't alone in this regard and this is the norm network device companies, the end result is that most end users never patch their routers and switches and just assume they never needs patching.  This probably won't change until a conventional PC worm makes the jump to attack IOS vulnerabilities and causes massive damage.  This may or may not happen because the ability to root a Cisco router is too valuable to waste on an annoying worm, but a new era of router hacking is upon us and few are ready for it.

Topic: Cisco

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Cisco?

    Granted this is an important issue, but if you want feedback = page views = ZDNet ad revenue, you'll have to work Microsoft killing Linux (or so-called open source/formats) into the narrative....

    Is that cynical?
    • Talkback != page views

      Some articles may not get a lot of talk backs because they are not controversial, but that doesn't mean people aren't reading the original work.
  • Router? What's a Router?


    There are many small operations that don't even know they HAVE a router, let alone who made it. The device is stuffed into a dark corner of some small closet behind the poster boards and old rain coats and probably hasn't been touched by light in years. Those devices probably will never be updated until they are replaced.

    Hopefully they will not become the zombies that wreak havoc on the internet, but we (and in that regard I mean primarily the upstream providers) need to be prepared to respond quickly and kill access by these devices if they do start to run amok. I hate the fact that it has come to this, but we're going to have to take the "shoot first and ask questions later" attitude.

    Now back to work here . . . I have some Cisco 2500s to commune with.
  • Advise for customers

    The REAL issue here is what to advise customers to do. Simply patching IOS is no simple affair. This is still something that needs to come out in the wash