Security Bytes: New flaw in Cisco IOS

Security news including Cisco, Mozilla hires a former Microsoft strategist to bolster security, a new "pump-and-dump" stock spam campaign is discovered and TippingPoint lists info on new flaws.

New flaw in Cisco IOS
Attackers could exploit a new flaw in Cisco Systems's Internetwork Operating System (IOS) to bypass security measures and access sensitive information.

"Specifically, [the problem presents itself] when the device handles malicious GRE [generic routing encapsulation] packets with oversized header offset values, and the improper handling of the 255.255.255.255 source route entry in the device's routing table," security giant Symantec said in an emailed advisory to customers of its DeepSight Threat Management Service.

An attacker can trigger these issues by:

  • Sending specially crafted header offset values in GRE packets and using them to modify the inner-IP contents to contain IP-only packets. Information belonging to previous packets in the queue could then be sent into the outgoing queue. These could be sent back into the packet routing queue, resulting in the disclosure of sensitive information.
  • Using a source routing entry with a value of 255.255.255.255 to route packets originating from the affected device. An attacker may use this source route entry to resend the packet to an address he or she specifies. This will result in the bypass of any access control lists which are in place on the device.

    The flaw affects Cisco IOS 12.0-, 12.1-, and 12.2-based trains, as well as all devices running affected versions of Cisco IOS that are configured with GRE IP or GRE IP multipoint tunnels.

    Cisco has confirmed the issue and released an advisory with suggested workarounds. They include:

  • Using Cisco Express Forwarding (CEF). Using the IOS 12.0S release train with a revision later than release 12.0(23)S with CEF enabled mitigates the vulnerability.
  • Deploying anti-spoofing mechanisms for tunnel source and destination endpoints.
  • Using IPSEC with GRE tunnels.

    The advisory didn't specifically say when the problem will be patched.

    Mozilla taps former Microsoft strategist to bolster security
    Mozilla Corp. is looking to a former Microsoft employee to help it bolster security. Window Snyder, a security strategist who helped develop the security features in Windows XP SP2 and Windows Server 2003, was hired by Mozilla this week to take the lead on the organisation's security strategy.

    "She'll be the public voice of Mozilla on security issues and [help] to drive our long-term security strategy," Mike Schroepfer, Mozilla's VP of engineering, said in a blog posting.

    The hiring may strike some security experts as ironic, given that many users have adopted Mozilla Firefox as their browser of choice in response to all the attacks against Microsoft Internet Explorer.

    Sophos warns of 'pump-and-dump' spam
    UK-based antivirus vendor Sophos plc has uncovered a "pump-and-dump" stock spam campaign that uses an animated graphic to display a subliminal message to potential investors.

    In an example shown on its Web site, Sophos pointed out how GIF graphics used for animation on Web sites has been adopted by spammers in their attempt to try and avoid detection by antispam products.

    In one spam campaign, an embedded image attempts to artificially inflate the price of shares in a company called Trimax. But unlike other similar scam emails, the graphic briefly flashes up a message saying "BUY!!!" approximately every 15 seconds.

    The "BUY!!!" message is comparable to the subliminal messages that have occasionally been used in advertising and political broadcasts to try and subconsciously influence people, Sophos said.

    Pump-and-dump stock campaigns work by spammers purchasing stock at a cheap price and then artificially inflating its price by encouraging others to purchase more (often by spamming "good news" about the company to others). The spammers then sell off their stock at a profit. Sophos warned that pump-and-dump stock campaigns account for approximately 15% of all spam, up from 0.8% in January 2005.

    A milestone for TippingPoint's Zero Day Initiative
    It has been a year since 3com's TippingPoint division rolled out its Zero Day Initiative (ZDI), an ambitious effort to consolidate vulnerability reporting and reward researchers for finding new flaws. The idea was ridiculed by some, but it has been largely successful, attracting about 400 registered researchers. Altogether, the ZDI has publicly disclosed 30 vulnerabilities and has about 30 more pending, company officials said.

    In the last week, TippingPoint has started to release advisories on those flaws, though it is withholding specific details and only publishing the vendor name, the severity of the bug and when it was reported. The list of vendors includes Microsoft, CA, Novell, Apple Computer and Symantec.

    Under the ZDI program, TippingPoint pays researchers on a sliding scale for finding new vulnerabilities in commercial software packages. The amount paid depends on a number of factors, including the severity of the issue and whether the flawed software is widely deployed. TippingPoint then acts as a clearinghouse and submits the vulnerability data to the affected vendor and handles the rest of the disclosure process.

    "The researchers don't have to deal with any of the frustration of dealing with the vendors," said Dave Endler, director of security research at TippingPoint.

  • Read more on Operating systems software