Cisco slow to respond to Nimda

Several popular Cisco routers and firewalls have been badly affected by the Nimda virus, which has caused them to crash or to...

Several popular Cisco routers and firewalls have been badly affected by the Nimda virus, which has caused them to crash or to expose networks to security holes.

Reports from concerned users claim that some Cisco Catalyst Routers as well as Cisco Call Manager 3 and PIX firewalls have repeatedly crashed or had to be shut down after operators were unable to control data traffic or change settings.

One network manager on the Cisco user forum said: "We've got a really nasty situation that cropped up after Nimda did its damage to a Web server; the attack drove the router to 100% utilisation, and now the unit won't block TCP 80 regardless of the [commands we give it]."

Similar reports are coming from other Cisco newsgroups and CW360 readers. Cisco has yet to issue a definitive statement on the problem.

In security advisories issued after the Code Red attack in July, Cisco recommended turning off port 80, normally used for Internet data as a last resort for controlling huge flows of traffic.

Scott Blake, of security consultancy Bindview, told CW360: "We have heard a few reports of Cisco products being affected and it sounds like a classic buffer over-run attack due to the huge volumes of traffic generated by the Nimda virus."

Bindview, whose customers include American Airlines, General Motors and the United Nations, suggested that the built-in operating system (IOS) of affected Cisco products was being corrupted, causing anomalous behaviour.

Blake said: "It is unlikely that the virus' writers intended this. It is more likely to be a by-product of the virus. Cisco generally makes good kit but when it is attacked in this way, there is not a lot they can do."

"All affected customers can do is reload the IOS and send Cisco a stiff letter complaining about the problem and telling them to do better in the future," he added.

Paul King, a senior consultant with Cisco UK, said: "The huge volume of traffic is the biggest reason for performance problems - but there are likely to be a few Cisco products that will be directly affected by Nimda. I would suspect any IIS-based system and maybe a couple of others - but at present it is too early to tell accurately what is affected. It may be no products at all."

"There is a very clear channel for reporting security incidents and receiving help from Cisco via the Product Security Incident Response Team, and I would advise customers to try this route first," he added.

Cisco has not released specific patches for affected products, but has a general advisory available.

Further Information:

Read more on Antivirus, firewall and IDS products