Cisco has discovered a bug in the operating system that controls many of its routing products which send data packets between networks. The bug could let unauthorized users snag passwords used by network administrators to access the routers and switches.
A rogue user can connect to a device and type in a string of characters to create a "buffer overflow." In turn, text fragments from previous users' interactions with the device are revealed; these fragments could potentially contain passwords. The unauthorized user need not actually log into the device -- just connecting and typing the proper sequence of keys is sufficient.
Roger Farnsworth, manager of Cisco's security Internet services unit, said that if a network is configured to refuse connection requests from any untrusted host the routing device would not be accessible to outside users.
"If the network is configured what we would consider to be appropriately, then this vulnerability really doesn't exist," Farnsworth said. "So as part of this [advisory] release, we are again encouraging customers to take advantage of the normal security-related precautions that are part of designing any IP network."
The bug will not display text from outgoing sessions that originate from a router; it only reveals text from commands and other interactions with the device.
The bug affects switches and routers running Cisco's Internetwork Operating System Software, version 9.1 or greater with the exception of several repaired versions that Cisco has listed in their security advisory. The advisory said that it was "impossible to list all Cisco products in this notice" that are affected by the bug.
Kit Knox, senior system administrator for ConnectNet, said that the bug would be difficult to exploit. Ironically, if a target site has a good password policy, it may be more vulnerable.
"If they changed their password every two weeks, then there would be more of a chance for that data to be accessible," Knox said. "But aside from that, there's not much personal data that [an attacker] could glean from it."
To determine whether or not a particular device is running the vulnerable software, the advisory said to log into the device and run the command Show Version. An affected system will then output the text "IOS" or "Internetwork Operating System Software."
The company is giving free software upgrades to customers, regardless of contract status. Customers with Cisco contracts can get the upgrade from the company Web site, and customers without contracts can get upgrades by contacting the Cisco's Technical Assistance Center.
Farnsworth said that Cisco has notified all registered customers of the problem and that the company has received no reports of attacks.
