lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 29 Mar 2004 18:49:28 +0000
From: neal rauhauser <neal@...ts.rauhauser.net>
Cc: full-disclosure@...ts.netsys.com, bugtraq@...urityfocus.com
Subject: Re: Addressing Cisco Security Issues


   Cisco is going through convulsions right now due to counterfeiting
issues.

   Previously you could purchase a service contract with either advanced
hardware replacement(CON-AR-PKGxx) or advanced replacement with software
support (CON-SNT-PKGxx). The advance replacement (much cheaper) dried up
a while ago for smaller systems and now they're requiring that service
packages be processed through a Cisco reseller rather than via the old
web registration for anyone with a browser & contract. This makes it
much harder to register volumes of used equipment and it might just be
stemming the tide of counterfeits a bit, too.

   I've seen counterfeit Cisco 1721s with internal deformities (no
MOD1700 slot), I've got a couple examples of WICs in a drawer here that
*almost* work, and I hear the whole 1721/2600-XM line and all the
related NMs, WICs, VICs, etc are available as well as some of the
Catalyst line.

   The big tip off for counterfeits? They've got a valid Cisco serial
number, but if you try to put the device on contract it'll already be in
the Cisco contracts system registered to someone else. Leaking
destruction and manufacturing facilities have plagued Cisco for years,
now portions of the product support database have slipped out as well. I
hear tell of a strong correlation between the bogus part serial numbers
and one of the big three stocking distributors of Cisco equipment, but
I'm too shy to name names :-)



  Soooo ... if you're having trouble getting Cisco's attention on a code
security issue just understand that this is a distant second to floods
of gear that they didn't build but for which they're liable for support
and market perception of quality.








> 
> I have to post this because I consider this to be a security issue in it's
> own right.
> 
> Recently there were a number of exploits released for cisco equipment, among
> the affected equipment were the 677 and 678 consumer DSL routers of which
> there are millions in use.
> 
> I have one such router, the DSL circuit is provided by Alltel and I work for
> the ISP who provides the actual internet access.
> 
> So upon reading recent warning notice sent to the security email lists about
> the exploits being publicly available I went and read
> http://www.cisco.com/warp/public/707/CBOS-DoS.shtml which pretty much says
> any router running a version of CBOS prior to 2.4.5 (actually you need 2.4.6
> because of later exploits) is vulnerable.
> 
> So like a good netizen I contacted cisco TAC via telephone, gave them my 678
> serial number and they informed me that they could not provide the security
> update because my router is registered to alltel (alltel did provide the
> router when I ordered the DSL circuit), please call Alltel to get it. Ok so
> then I called Alltel, who told me no problem we can email you the update and
> asked for my email address. Except since Alltel is not the ISP I don't have
> an alltel email address so then they won't email it to me, please contact
> your ISP. I then informed Alltel that I AM MY ISP to which they replied they
> still could not provide the patch and that I would have to get it from
> Cisco.
> 
> So then I call Cisco TAC again, this time I explain the full details of all
> I've just been thru and the tech decides to ask someone. Comes back and says
> if I register on the cisco website that he can open a ticket and get someone
> to call me back on it. (I'm presently waiting for that call)
> 
> In the mean time I decided to google for it and low and behold I found 2.4.6
> on a website (url not posted to protect the life saving individuals who put
> it on the web). Now of course I've no way to know if this version I just
> found is safe or not but HELLO CISCO???
> 
> If you are going to issue security alerts that require ISP's and consumers
> to patch their hardware devices then you had better damn well make sure that
> folks can actually GET THE PATCHES. It would require no effort at all to
> post a bogus version full of back doors and whatnot on the web and after
> seeing the nightmare it is to obtain the patch thru official channels it's
> clear to me that this would be a very popular download.
> 
> Geo.

-- 
==================================================================
mailto:neal@...ts.rauhauser.net http://www.rauhauser.net fcc:K0BSD
Cisco, Soekris, OpenBSD, or Amateur Radio? See my web page ...
==================================================================

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ