Rootkit threatens Cisco routers

Cisco and the security community are debating the reality of rootkits attacking the Cisco's Internetwork Operating System (IOS) after a researcher presented a proof of concept attack, which threatens Cisco routers and voice over IP phones.

Cisco and the security community are debating the reality of rootkits attacking the Cisco's Internetwork Operating System (IOS) after a researcher presented a proof of concept attack, which threatens Cisco routers and voice over IP phones.

At the EUSecWest conference in London, Core Security researcher Sebastian Muniz presented a proof of concept attack which he called the "Da IOS Rootkit", a binary modification to the IOS image.

"The fragile nature of our networks
are at an all-time high"

John Stewart, Cisco

"The main feature of Da IOS Rootkit is the universal password," Muniz said in an interview on the EUSecWest website. "Every call to the different password validation routines grant access to the user if the unique rootkit password is specified."

In anticipation of Muniz's talk, Cisco published three critical patches last week.

In response to the presentation, the company has published a set of best practices. Cisco noted that "no new vulnerability on the Cisco IOS software was disclosed during the presentation. To the best of our knowledge, no exploit code has been made publicly available, and Cisco has not received any customer reports of exploitation."

If the exploit code is made public, it could pose a further security risk to Cisco's customers, according to Chris Gatford, senior security consultant for penetration testing firm, Pure Hacking.

"If the code reaches the wild, it could be dangerous because of the lack of security attention given to Cisco's switches and routers," he told ZDNet.com.au.

At the AusCERT 2008 conference on the Gold Coast last week, Cisco's chief security officer John Stewart complained that many of Cisco's customers fail to upgrade IOS, with some still operating on version 10.3, which was released on 13 April 1995. The current release is version 12.4.

"I can give them the list of known vulnerabilities, but customers still don't want to touch it because it's working ... I think there's a certain level of 'well it's working, don't touch it, because it's fragile, it might break'. I understand that, however I don't find it acceptable," he said.

Australian customers often avoid securing switches and routers, despite these devices offering a gateway to all network traffic.

"If I was to do a comparison of the number of assessments on operating systems versus networking hardware, I would say the OS and apps would be 90 per cent of what a customer is asking for and very few have us look at switches and routers. And once again, if you compromise a switch and router you own all those OSes, because you have access to all that sensitive traffic going in and out," Pure Hacking's Gatford said.