|
Home > Archive > CCNA > April 2004 > Major Cisco router vulnerability
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Major Cisco router vulnerability
|
|
|
|
| Boulware5 2004-03-30, 9:43 pm |
| Now I am wondering... I have a cisco 806 cable router. How the heck would I go about patching my router? It uses IOS 12.2. I found this....
quote:
Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for assistance with the upgrade, which should be free of charge.
Customers who purchase direct from Cisco but who do not hold a Cisco service contract and customers who purchase through third-party vendors but are unsuccessful at obtaining fixed software through their point of sale should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows:
*
+1 800 553 2447 (toll free from within North America)
*
+1 408 526 7209 (toll call from anywhere in the world)
*
e-mail: tac@cisco.com
Please have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC.
Please do not contact either "psirt@cisco.com" or "security-alert@cisco.com" for software upgrades.
Now if I email them they will supply me the patches? | |
| Yankee 2004-04-01, 5:49 am |
| Last summer when Cisco announced these issues there was an IOS fix immediately. ISPs immediately upgraded their routers. We opted to block the 4 or 5 seldom used protocol types that were effected until our routers were upgraded to a newer IOS. I think these Italian kids are about 6-8 months too late to do any real harm.
Cisco does not issue patches in the Microsoft sense. They just fix the code and you upgrade your IOS. I do not know how TAC would handle this in your case, but maybe it would be a temporary CCO account to allow you to download a newer IOS.
Yankee | |
| popdevil 2004-04-01, 8:52 am |
| Not really sure why cisco doesn't allow you to download the latest IOS? Seems strange to me. | |
| mikop 2004-04-01, 11:27 am |
| Obtaining Fixed Software
Customers with contracts should obtain upgraded software free of charge through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on the Cisco worldwide website at http://www.cisco.com/tacpage/sw-center/sw-ios.shtml.
Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for assistance with obtaining the free software upgrade(s).
Customers who purchase direct from Cisco but who do not hold a Cisco service contract and customers who purchase through third-party vendors but are unsuccessful at obtaining fixed software through their point of sale should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows.
*
+1 800 553 2447 (toll free from within North America)
*
+1 408 526 7209 (toll call from anywhere in the world)
*
e-mail: tac@cisco.com
Please have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. To ensure prompt service by email or by phone, please provide your name, company name, address, product serial number, and current version of Cisco IOS software that you are using. This can be documented by pasting the output of the show version command into the text of an email. Free upgrades for non-contract customers must be requested through the TAC.
Please do not contact either "psirt@cisco.com" or "security-alert@cisco.com" for software upgrades.
See http://www.cisco.com/warp/public/68...ry/DirTAC.shtml for additional TAC contact information, including special localized telephone numbers, instructions, and e-mail addresses for use in various languages.
http://www.cisco.com/warp/public/70...7-blocked.shtml
--------------------------
ebay is considered gray market... you acquire cheap equip for personal use... with no proper license in most cases...
many IOS are thousands of dollars, they don't come free with every 200 dollar used router purchase.
imagine if every ebayed 2500 users calling TAC demanding that they support their every tech support issues... for things that they did not pay for.
makes business sense... and makes common sense to me.
This issue was sort of hot a few years ago when some companies try to save money buy purchasing used equip and expecting support... buyers beware but I think most companies have learned the importance of license management. | |
| popdevil 2004-04-01, 1:11 pm |
| No one is asking cisco to SUPPORT our used routers. Just would like to be able to update to the latest version that has bug fixes.
Microsoft does give FREE SUPPORT either but they do allow you to download the latest patchs and bug fixes. | |
| Boulware5 2004-04-01, 1:19 pm |
| So there's no way I can patch my home CISCO SOHO 91 router? | |
|
| patching IS support.
otherwise, it is known as AS IS.
plus, in addition there is no reason for them to support buggy software for non customers, which most of us are in regard to our lab equipments.
MS should varify proper licensing b4 allowing the acquisition of patches... but with MS OS, most ppl are not educated in term of licensing... so they let it slack. We are professionals, and should know the we need to have a proper license etc for all our software... and therefore, this isn't an issue when cisco does not make it openly available except for those who has proper access to its software.
boulware, there is, and that is to acquire the proper license, or if you believe that you have the proper license or should have, then resolve that.
risk of doing business for cheap stuff on ebay... best course of action, beg beg beg someone you know who has access because I am relatively sure cisco will just require you to acquire it through the proper channel.
edit: or if you had purchased it throguh one of the frequent established seller on ebay, they may possibly burn it for you if you ask them... they load it on every use equip they sell, I am sure they would do it for you free or for a nominal fee.
otherwise, it really doesn't matter... no one is really interested to knock your router off the net... there are bigger fish to fry... I am sure there are a lot more less publicized vulnearability that is more urgently in need of your attention, such as the openssh vulnerability for all linux users who think they are beyond MS's buggy crap  | |
| Boulware5 2004-04-01, 9:44 pm |
| I'm sorry but I think CISCO should support the home users too. I am not buying a "license" for that. I paid money for a CISCO product; I expect to get the proper patches and updates when there are vulnerabilities. I got to agree with what popdevil said.
edit: And this isn't my "lab" equipment. This is my everyday router. | |
| forbesl 2004-04-02, 3:47 pm |
| Quit your whining! If you bought a used Cisco router or even a new one without a SmartNet contract, that's your problem, not Cisco's. One way for you to fix your problem: Don't buy Cisco. Otherwise, shut the hell up and deal with it.
One more thing, there are quick workarounds to your problem, such as making sure you don't have "ip http server" configured on your router, and blocking protocols 53, 55, 77, and 103 inbound on your outside interface. Notice I said "protocols" not "ports".
Example: access-list 101 deny 53 any any
access-list 101 deny 55 any any
etc...etc...
int s0/0
ip access-group 101 in | |
| Boulware5 2004-04-02, 5:00 pm |
| quote:
Originally posted by forbesl
Quit your whining! If you bought a used Cisco router or even a new one without a SmartNet contract, that's your problem, not Cisco's. One way for you to fix your problem: Don't buy Cisco. Otherwise, shut the hell up and deal with it.
One more thing, there are quick workarounds to your problem, such as making sure you don't have "ip http server" configured on your router, and blocking protocols 53, 55, 77, and 103 inbound on your outside interface. Notice I said "protocols" not "ports".
Example: access-list 101 deny 53 any any
access-list 101 deny 55 any any
etc...etc...
int s0/0
ip access-group 101 in
Don't got to be a dick about it, pal. | |
| popdevil 2004-04-02, 6:18 pm |
| Must be a Cisco FANBOY...
I guess you are all for the car makers to find out about problems with their cars (brakes, tires etc) and let everyone know about it but not support anyone to fix it with out an extended warranty?
Yeah I can see if now. You bring your car into the dealer and tell them it’s a known fact that the brakes fail and have caused death and you want it fixed. They tell you to buy a contract agreement first then they will fix it. You would XXXXX a fit
This is just like Microsoft, Cisco making software and finding out there are issues with it and making you pay for an updated patch because they didn't program it right the first time. | |
| forbesl 2004-04-02, 6:59 pm |
| quote:
Originally posted by popdevil
Must be a Cisco FANBOY...
I guess you are all for the car makers to find out about problems with their cars (brakes, tires etc) and let everyone know about it but not support anyone to fix it with out an extended warranty?
Yeah I can see if now. You bring your car into the dealer and tell them it’s a known fact that the brakes fail and have caused death and you want it fixed. They tell you to buy a contract agreement first then they will fix it. You would XXXXX a fit
This is just like Microsoft, Cisco making software and finding out there are issues with it and making you pay for an updated patch because they didn't program it right the first time.
Once more, since you didn't seem to read it correctly the first time: If you don't like what Cisco does, then don't buy their products. Boycott them, tell your friends how much they suck, take them to court, etc. What part of that didn't you understand?
You must not be to upset with them since you're paying your hard earned $$$$$ to get certified with them.
Your ignorance betrays you when you suggest that Cisco didn't "program it right the first time". Security vulnerabilities pop up all the time due to hackers/crackers creating ever inventive ways of breaking into networks. It's a never ending cycle of software updates, IOS updates, etc. There is no "perfect" software when it comes to security vulnerabilities. Get used to it or find another field of interest.
Yes, I am a "Cisco FANBOY". If you've got a SmartNet contract with them, you get excellent service and technical support anytime you have problems. If you don't...well, you've missed out. That's the way it is, no matter how much you moan like a sick dog. | |
| forbesl 2004-04-02, 7:01 pm |
| quote:
Originally posted by Boulware5
Don't got to be a dick about it, pal.
Truth hurts, don't it? | |
|
| do you even hear yourself think, if you even do that?
my god... no wonder I dispise this forum now...
fan boy? who is trying to get certified in cisco but can't find their way around?
I had stated this before, and I will do so again...
go XXXXX at all the *way smarter than you dumbass* ppl who created the tcp/ip protocol, or anything about technology, including encryption etc... that if they had done their job right, we won't have all these security vulnearability involving IPv4...
What dumbasses thought they could design protocols for use to interconnect ppl without providing builtin security measures? | |
| forbesl 2004-04-02, 7:14 pm |
| quote:
Originally posted by mikop
do you even hear yourself think, if you even do that?
my god... no wonder I dispise this forum now...
fan boy? who is trying to get certified in cisco but can't find their way around?
I had stated this before, and I will do so again...
go XXXXX at all the *way smarter than you dumbass* ppl who created the tcp/ip protocol, or anything about technology, including encryption etc... that if they had done their job right, we won't have all these security vulnearability involving IPv4...
What dumbasses thought they could design protocols for use to interconnect ppl without providing builtin security measures?
...I like your style.... | |
| popdevil 2004-04-02, 7:19 pm |
| A FANBOY is a person that won't look at both sides of the story when it comes to certain things. A Cisco FANBOY is someone that is going to claim Cisco can't do any wrong ever. If you are happy leading a blind life, that’s your problem.
...I never said I hated Cisco. I never said I hated Microsoft. I stated that when you make a product, you should support it. If I do not have a smartnet contract means if my hardware dies then it dies and I purchase new hardware. If the OS is updated/patched by the company that made the hardware should at least allow the patch to be downloaded. I'm not asking for support for anything, just the update.
I've also got a better idea if you don't like what is being said here, then you can boycott this forum.
This will be the last reply... This is not why I come to this forum to fight with cry babies. | |
| forbesl 2004-04-02, 7:30 pm |
| quote:
Originally posted by popdevil
A FANBOY is a person that won't look at both sides of the story when it comes to certain things. A Cisco FANBOY is someone that is going to claim Cisco can't do any wrong ever. If you are happy leading a blind life, that’s your problem.
...I never said I hated Cisco. I never said I hated Microsoft. I stated that when you make a product, you should support it. If I do not have a smartnet contract means if my hardware dies then it dies and I purchase new hardware. If the OS is updated/patched by the company that made the hardware should at least allow the patch to be downloaded. I'm not asking for support for anything, just the update.
I've also got a better idea if you don't like what is being said here, then you can boycott this forum.
This will be the last reply... This is not why I come to this forum to fight with cry babies.
That might be your last reply, but I know you'll be reading mine...
You ignorance again betrays you. This is not just a "patch" for the IOS. There is no such thing with Cisco. When you get a fix, it's an entire new IOS. If you'd check into the price for a Cisco IOS, you'd find out why Cisco can't afford to give a free IOS to every clown that purchased a router on ebay or at "Fred's Used Routers" thinking they were getting a good deal.
Cry babies??? Who was doing the bitching and babbling about how unfair it all is? Not me. I don't recall a single snivel coming from me. Maybe you should pull that finger out of your butt and point it back at yourself. | |
| Joe Dali 2004-04-02, 8:42 pm |
| We already went through this with my post in January ... yes it does suck, thats why you need a support agreement with Cisco. I paid 3500$ for mine. | |
| forbesl 2004-04-03, 9:51 am |
| If you wanna dance, you gotta pay the band... | |
| thebonzodog 2004-04-05, 2:58 am |
| I see the arseholes are out in force again... | |
| mawwoods 2004-04-05, 6:53 pm |
| I have a cisco SOHO router, bought new through a reseller for use at home. Works nicely and was useful for practicing for the exams.
I also spent a bit of time looking around the site for an upgrade to my current IOS to fix the vulnerability reported on recently. It eventually dawned on me that I would need to pay extra for it.
Am I upset? Yes and no. I am a developer, and understand how much it costs in time effort and money to develop new software. It would be unreasonable to expect Cisco to offer a full IOS upgrade for free.
I also thought about the car analogy. If software was a car, and had a fault at point of manufacture, then you would be entitled to take it back and get it fixed.
But security is a bit of a changing world. What was fully functional for some period of time suddenly gets overtaken when someone comes up with a clever idea. Sort of like being sold a suit of armour, pretty good against sharp pointy things, but not so good when some bright spark comes back with rifles....Do you get a refund then? Should the manufacturer be guaranteeing indefinite security?
I think probably not.
On the other hand, I did pay a premium for the router I bought over others on the market. Why? Cisco had the better reputation (well, and the chance to study with it!). I don't necessarily expect to have a hotfix applying specifically to the fault made available to me, but having recently bought the router, it would have given me a warm fuzzy feeling! And it might not be so difficult or expensive.
Cisco are well within their rights to ask me to pay a service contract. And I am free to go and buy/recommend someone elses software/hardware if I feel they are not offering value. And I might as I cannot afford a service contract..... my choice, and theirs to offer alternatives.....
just felt like sharing! | |
| Joe Dali 2004-04-05, 7:36 pm |
| I think for the students, or little guys out there, there should be some kind of a deal. Does Microsoft charge for Windows Update? How many developers does it take to keep that site going? Probably a ton. Would Microsoft get heat if they charged for patches? Hell yes. But, its a different analagy I guess.
Jose in Ohio | |
| Yankee 2004-04-06, 5:36 am |
| "Can't we all just be friends?" 
Yankee | |
| Joe Dali 2004-04-06, 8:56 am |
| Who really like Britney out there for real? Anyone been to the Onyxxx tour yet?
I'm trying to figure out who truly likes her out there. | |
| forbesl 2004-04-06, 9:12 am |
| quote:
Originally posted by Joe Dali
Who really like Britney out there for real? Anyone been to the Onyxxx tour yet?
I'm trying to figure out who truly likes her out there.
...where's the moderator when you need him... | |
| dmaftei 2004-04-06, 10:21 am |
| quote:
Originally posted by forbesl
...where's the moderator when you need him...
Yeah, really... He should've removed all your posts in this thread for foul language. "Shut the hell up...", "moan like a sick dog...", "pull that finger out of your butt..." Sheesh... | |
| forbesl 2004-04-06, 2:08 pm |
| quote:
Originally posted by dmaftei
Yeah, really... He should've removed all your posts in this thread for foul language. "Shut the hell up...", "moan like a sick dog...", "pull that finger out of your butt..." Sheesh...
I see. So it's OK for you to REPRINT my "foul language", huh? Pull your head out...if it's to bright for you, here's some sunglasses.  | |
| dmaftei 2004-04-06, 2:56 pm |
| quote:
Originally posted by forbesl
So it's OK for you to REPRINT my "foul language", huh?
Yeah, it is, unless you have some sort of copyright on your "pearls of wisdom".
The fact is, normal people can have a civilized discussion about their differing opininons, but you don't seem to belong to that group... | |
| Boulware5 2004-04-06, 3:32 pm |
| Maybe this thread should be closed.  | |
| forbesl 2004-04-06, 4:03 pm |
| quote:
Originally posted by dmaftei
Yeah, it is, unless you have some sort of copyright on your "pearls of wisdom".
My point was that you were complaining about my "foul language", yet you repeated the SAME "foul language" from my thread in your post. Maybe you should be an TV evangelist, that way you can be a hypocrite and get paid for it.
quote:
The fact is, normal people can have a civilized discussion about their differing opininons, but you don't seem to belong to that group...
Well, sometimes you gotta be an XXXXXXX, otherwise nothing gets done. When you grow up, you might realize that. | |
| dmaftei 2004-04-06, 4:34 pm |
| quote:
Originally posted by forbesl
yet you repeated the SAME "foul language" from my thread in your post
There's a big difference between using and quoting foul language, but that difference is not obvious to everybody, is it?
quote:
Well, sometimes you gotta be an XXXXXXX, otherwise nothing gets done.
Yeah, right... Makes me wonder why people who actually contribute something to this forum never had the need to be "XXXXXXX" (whatever "XXXXXXX" means)... | |
| forbesl 2004-04-06, 7:27 pm |
| quote:
Originally posted by dmaftei
There's a big difference between using and quoting foul language, but that difference is not obvious to everybody, is it?
Well, since you're obviously a Byzantine monk who will probably go into convulsions if you see or hear "foul language", I apologize. I'm sure you've never heard it on TV or read it anywhere else (I'm sure they don't have graffiti on the stalls in your monastery).
quote:
Yeah, right... Makes me wonder why people who actually contribute something to this forum never had the need to be "XXXXXXX" (whatever "XXXXXXX" means)...
Well, my contributions at times probably really piss....oops, I mean make people mad. When I see ignoranace and stupidity I tend to express how I feel. I might not have contributed anything to the individuals in this thread who were whining so loud, but I'm sure there are others like me who feel the same way. So you see, I contributed to their belief that ignorant, whining shit...er, poop...er, dungheads deserve a little flaming now and then.
'Nuff said on my part in this thread. You're beginning to bore me. I leave to you the last word.... | |
| dmaftei 2004-04-07, 8:50 am |
| quote:
Originally posted by forbesl
'Nuff said on my part in this thread.
Good! Your best contribution so far. | |
| Yankee 2004-04-10, 8:06 am |
| I'll take the last word! Shaddup 
Yankee | |
| stnosc 2004-04-16, 2:38 pm |
| I'm just a newbee here, but I've just got to reply to this thread.
First of all, even though I'm new to this forum, I've got many years of Cisco experience. Yes, I only have a CCNA, but I work at the CCNP/CCSP level...no need wasting my money getting the cert if I already work at that level. Besides, certs seem to be marginalized nowadays because of all the cheating that goes on. I'd rather have the experience than the piece of paper.
Anyway, I got to say that buying a piece of Cisco equipment without getting a Cisco service contract is well, just plain stupid. Cisco is not Microsoft, so comparing the two is ridiculous. Their product lines are completely different, as well as their service structure.
If you buy your stuff on E-bay, expect what you pay for. You don't expect free service from the car dealer when you buy a used lemon, do you?
I can understand someone buying a used router/switch from E-bay for a study lab, but don't expect free IOS upgrades when you choose to do so. If you're buying one to use as a production machine (whether for home of office), you should definitely have purchased a service contract.
If you don't think you can afford the Cisco service contract, then just maybe you should have bought a Netgear, Linksys, or other brand router for your home.
Hindsight is always 20/20 isn't it? It sucks to learn the hard way sometimes. | |
| mawwoods 2004-04-17, 8:40 am |
| quote:
Anyway, I got to say that buying a piece of Cisco equipment without getting a Cisco service contract is well, just plain stupid. Cisco is not Microsoft, so comparing the two is ridiculous. Their product lines are completely different, as well as their service structure.
If you buy your stuff on E-bay, expect what you pay for. You don't expect free service from the car dealer when you buy a used lemon, do you?
I can understand someone buying a used router/switch from E-bay for a study lab, but don't expect free IOS upgrades when you choose to do so. If you're buying one to use as a production machine (whether for home of office), you should definitely have purchased a service contract.
If you don't think you can afford the Cisco service contract, then just maybe you should have bought a Netgear, Linksys, or other brand router for your home.
Ok, first the things I agree with. I cannot argue with stnosc about buying from ebay, you can get less than you expect and should not be suprised by that.
And yes, Cisco and Microsoft are different.
I also work in IT, and am familiar with how large BTB agreements work, and I also agree that when you buy a peice of equipment you have to budget for a service and support contract. If you buy a complex bit of equipement for use in an enterprise environment I agree it is likely to require significant ongoing expenditure
But buying for small or home office (SOHO) use is a different situation entirely. Purchasers like these cannot be expected to have a large amount of knowledge about how each company structure its pricing.
CISCO offers routers for small/home office use (they are sold as SOHO routers). I have a SOHO 97 router, and I bought it from a resller new. At no point was I advised to get a service contract.
Further, if it does cost thousands of dollars (as stated previously in this thread) then I would be interested to see how this provides an appropriate level of service. I woudl think that most SOHO users would find some sort of lower level service provision more appropriate.
My expectations were built on my experience of cheaper, non enterprise routers which in some instances seem to have extensive online support.
I am not arrogant enough to tell CISCO what to provide, they are a business and it is up to them. I am just trying to explain how a stupid person like myself had to find out by experience what the situation was. | |
| stnosc 2004-04-17, 9:32 am |
| quote:
Originally posted by mawwoods
CISCO offers routers for small/home office use (they are sold as SOHO routers).
Yes, I'm aware of that.
quote:
I have a SOHO 97 router, and I bought it from a resller new. At no point was I advised to get a service contract.
Your reseller should have informed you about the contract. When we purchase Cisco equipment, our reseller always asks us if we want the smartnet contract.
quote:
Further, if it does cost thousands of dollars (as stated previously in this thread) then I would be interested to see how this provides an appropriate level of service.
A smartnet contract for your SOHO router will not cost you thousands of dollars. You can purchase a contract for a year or longer. But again, if you can't afford the cost, maybe you should get another brand. A Cisco router, SOHO or otherwise, didn't make any sense for my home network, so I bought a Linksys instead (with stateful firewall packet inspection of course).
quote:
I am just trying to explain how a stupid person like myself had to find out by experience what the situation was.
I didn't say anyone was stupid, I said it was stupid to buy the equipment without the service contract. All people do stupid things from time to time, but that doesn't mean they are always stupid. I don't think you're stupid. You just did a stupid thing, IMO. Experience is always the best teacher. | |
|
|
|
|
|