IT staff race against time to patch vulnerability in Cisco technology

IT staff at ISPs and businesses had to work round the clock over the weekend of 18-20 July to fix a vulnerability in Cisco...

IT staff at ISPs and businesses had to work round the clock over the weekend of 18-20 July to fix a vulnerability in Cisco routers and switches that could have allowed hackers to launch denial of service attacks.

A number of corporate websites were taken down while essential work took place on network infrastructures.

Iain Stevenson, an analyst with Ovum, said network managers had to balance the need to patch the vulnerability with the disruption such upgrades can cause.

"It is a difficult issue for network managers," he said. "We are often alerted to these types of vulnerabilities but how often will there actually be a threat? Applying patches can lead to more problems. Being circumspect and monitoring traffic then applying patches at a later date may be the best approach."

According to Gunter Ollman, x-force security assessment manager at consultancy ISS, attacks began as soon as Cisco released the exploit code.

"Within an hour of the first exploit code being published there were attacks. Then we saw further attacks against our managed clients after Cisco published its second advisory listing vulnerable ports - attackers then went for those ports," said Ollman.

"A lot of workers arrived on Monday morning to find no e-mail because their routers had not been patched at the weekend. Websites were also affected as unscheduled upgrading had to take place."

The flaw affected all IP version 4 Cisco switches and routers running Internetwork Operating System versions 11.x and 12.x. It allowed attacks to specifically target devices or be launched indiscriminately to cause widespread outages. Security experts said most legacy firewalls were incapable of stopping such attacks.

Cisco issued a patch on Wednesday 16 July for the vulnerability, which potentially allowed attackers to cause devices to think they were full, crash and refuse any more traffic.

All Cisco devices running IDS are vulnerable to the exploit. Those that are not include kit running in IP version 6 environments and devices with IOS version 12.3 and above.

Gunter Ollman's tips for protecting your network
  • Subscribe to vulnerability alerting services. This is the best way to avoid being taken in by erroneous reports

  • Have in place a patching and upgrade programme so that they are regularly rolled out to your network infrastructure

  • Have an instant response plan ready to be activated when network vulnerabilities are announced, both for the technical aspects and the business ramifications, such as websites being down while essential work is carried out

  • Have processes in place to identify patterns in internet traffic - using intrusion detection systems and firewall monitoring - so threats can be spotted by in-house teams.

Read more on IT risk management