Forwarded From: darek milewski <darekm@cmeasures.com>
http://www.zdnet.com/zdnn/stories/printer_friendly/0,3845,2149744,00.html
Software bug hits Cisco
By Charles Cooper and Michael Fitzgerald, ZDNet News
October 14, 1998 6:31 PM PT
A software error has been uncovered that compromises the security of
certain products made by Cisco Systems Inc.
The bug -- which affects the company's networking software -- allows
unauthenticated users to penetrate logins for routers and other Cisco IOS
(Internetworking Operating System) devices. That, in turn, can open the
door for hackers to read information entered by prior users of the devices
-- including passwords.
However, Cisco (Nasdaq:CSCO) says the danger is limited: The only
information likely to get exposed would be at the prompt of the IOS
device, and any data that gets forwarded would not be exposed.
The problem affects devices running Cisco IOS software, including most,
but not all, Cisco router products, according to Cisco. The company says
the glitch affects versions 9.1 and later of its IOS software.
We've got a problem
"This is certainly cause for concern," said John Bashinski, a spokesman
for Cisco. "We want to see people upgrade if they can reasonably do so.
This potentially gives away a password. Obviously, that's something you
don't want to give away."
The opening would let hackers -- who would only need to establish a
terminal connection -- to reproduce "nearly complete lines, and fragments
tens of characters long," according to a document posted on Cisco's Web
site.
Bashinski said Cisco has issued fixes that can be downloaded from the
company's Web site. He declined to gauge the severity of the problem --
which he described as a "vulnerability caused by a bug" -- but suggested
that customers download the fix.
"If it was in my network, I would look at upgrading," he said. "I wouldn't
panic."
Analysts also weren't panicked, though they also weren't advising
complacence.
"It would be potentially a disaster if such a security breach were to take
place," said Craig Mathias, president of Farpoint Group in Ashland, Mass.
This is only the latest instance of an Internet-related product found to
be vulnerable because of a software glitch. In recent months, at least one
other Cisco bug has been discovered, as well as bugs that compromise
Internet browsers made by both Microsoft Corp. and Netscape Communications
Corp.
Mathias said the bugs can't be avoided. "All software has bugs, and the
bigger the software gets, the more bugs it has."
They keep knocking
"The underlying significance here is we have more and more people looking
at ways to get into and get access to systems that are critical to the
Internet," said Rob Enderle, an analyst at Giga Information Group, who
expressed doubt in the ability of vendors to consistently produce
glitch-proof products.
"There's just too much change going on," he said. "The technology is going
to have to stabilize for a while until much heavier security can be
wrapped around a more simplified structure. What we're waiting for is a
major disaster. That's what it'll take to get us to a more secure
environment." --
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Fri Oct 16 16:15:21 1998