Upgrade your IOS!

[jlazzaro]

Crafted TCP DoS vulnerability

Crafted IP DoS vulnerability

IPv6 vulnerability

Time to update...

 

[cmetz]

Pay close attention to what versions are and are not affected - if you've kept updated in the last six months or so you should be fine.

Cisco's QA sucks now, and so IOS upgrades are a lot riskier than the past - don't go upgrading to the latest and greatest unless you actually need to.

 

[InlineFive]

Originally posted by: cmetz
Pay close attention to what versions are and are not affected - if you've kept updated in the last six months or so you should be fine.

Cisco's QA sucks now, and so IOS upgrades are a lot riskier than the past - don't go upgrading to the latest and greatest unless you actually need to.

Darnit, when did this happen? Are there no decent companies left?

 

[cmetz]

InlineFive, Juniper is good for the M/T/J series. They are complete idiots about sales, though.

 

[InlineFive]

Originally posted by: cmetz
InlineFive, Juniper is good for the M/T/J series. They are complete idiots about sales, though.

Nobody good for switches then?

 

[m1ldslide1]

I saw this too - we have a pair of 3600's at the edge and are going to have to update. They were sure short of technical details about the 'crafted attack'... probably so they don't encourage people.

 

[jlazzaro]

Originally posted by: m1ldslide1
I saw this too - we have a pair of 3600's at the edge and are going to have to update. They were sure short of technical details about the 'crafted attack'... probably so they don't encourage people.

i read somewhere theres no "known" public exploit script for these vulnerabilities...probobly just covering their asses.

 

[RebateMonger]

Originally posted by: jlazzaro
i read somewhere theres no "known" public exploit script for these vulnerabilities...probobly just covering their asses.

Yeah, but supposedly there are criminal types who like to try to reverse-engineer security patches to see exactly how to attack the UNPATCHED devices.

It's getting really hard to ignore patches nowadays. Nobody likes to upgrade stuff just for the sake of upgrading. In fact, if I went around upgrading every single piece of firmware and software at all my clients, I'd probably be doing UPGRADES full time. Forever.

But if somebody breaks in, and it turns out that they used a known exploit, and the device manufacturer had already released a patch six months ago......

 

[jlazzaro]

question about these version numbers...

the TCP DoS base 12.4 table claims the rebuilds (first fixed releases) are 12.4(3e) and 12.4(7b). If your current IOS is the same or later than the rebuilds your ok.

what is your running a version inbetween the 2 listed versions? ie 12.4(3f), 12.4(5a), etc...

 

[FreshPrince]

Originally posted by: RebateMonger

Originally posted by: jlazzaro
i read somewhere theres no "known" public exploit script for these vulnerabilities...probobly just covering their asses.

Yeah, but supposedly there are criminal types who like to try to reverse-engineer security patches to see exactly how to attack the UNPATCHED devices.

It's getting really hard to ignore patches nowadays. Nobody likes to upgrade stuff just for the sake of upgrading. In fact, if I went around upgrading every single piece of firmware and software at all my clients, I'd probably be doing UPGRADES full time. Forever.

But if somebody breaks in, and it turns out that they used a known exploit, and the device manufacturer had already released a patch six months ago......

damned if you do, damned if you don't....

 

[cmetz]

InlineFive, there is not currently any vendor for switches that I consider to be doing QA well enough. I've been buying SMC's switches lately for L2, and they're working well for me. If I'm not getting enterprise-class reliability, I'm not going to pay an enterprise-class price for it! I'm buying Extreme "i" switches for L3, and they're okay, the software is definitely a rough ride but their hardware is good. Those boxes are getting cheaper now, finally.

jlazzaro,
"i read somewhere theres no "known" public exploit script for these vulnerabilities"

Vendors rarely write security advisories that say "the bad guys have scripts to exploit these vulnerabilities" because that makes customers quite unhappy. They also rarely write security advisories that say "we found out about this bug a year ago, and the bad guys probably knew about it months before that. We fixed it six months ago, and we told the customers who are really important to us about it then. But we're only telling YOU about it now." Because that too makes customers quite unhappy.

Just because they don't explicitly say these things doesn't mean you can't -- and shouldn't -- read between the lines.

My understanding of how to read the version chart is that you are okay if you're running a version newer than the version listed as maintenance, that is, that's the version where it got put into the tree. However, they also took an older and recommended stable version and created a one-off branch version of that with the fix applied, and that's the rebuild version. So you're okay if you get that one particular version ("rebuild"), or if you are running a version newer than the maintenance version listed. I admit that I could be wrong here, it is definitely confusing.

In practice, I always interpret these things as telling me to update my boxes to the newest version available that's stable enough, and/or that's above the maintenance version listed. I figure if I'm going to take the test/upgrade/test pain at all I might as well get current.

RebateMonger, that's why you build a network with defense in depth. Software has bugs and applying patches sometimes creates new ones as well as brings operational risk into the picture. To the best of your ability, you should build a network so that an exploitable bug doesn't make you a sitting duck, you have other layers of defense such that malicious parties can't actually do the exploit.

 

[skypilot]

Originally posted by: InlineFive

Originally posted by: cmetz
InlineFive, Juniper is good for the M/T/J series. They are complete idiots about sales, though.

Nobody good for switches then?

I've had good success w/ Foundries.

 

[randal]

Randomly picked up a Dell 3424 for some dumb L2 closet aggregation and was pretty surprised at the feature set - 802.1x, qos, standard vlan stuffs, dynamic vlan/mac assignment, pretty much comparable to the 2950s and 3500s out there. Oh, and it has 2xCopper gigE and 2xSFPs. Pretty tough to beat a $300 switch that gets you all the features of a ~$1k green-box.

 

[cmetz]

randal, many of the features in the 34xx series are not fully, or correctly, implemented. That is to say, they did enough to let them claim to support, say, 802.1x, but they did not do enough to make it *useful*. Also, Dell's support sucks very very much. "Award winning" is truly the most polite way I can put it The worst part is that their 33xx series actually were better quality products and had some useful features that they took out in the 34xx series (though the 34xx series added some other features, they turn out not to be useful). So they basically dumbed them down.

Dell's software quality for their switches has not been anywhere close to enterprise quality in my experience, and their support is incapable of fixing it. I'm pretty sure that Dell can only really ask the real OEM to fix bugs and neither party is very inclined to do that. So if you do run into a bug, you're basically SOL, in my experience.

I have to do an expensive forklift upgrade to rip out every Dell switch across several buildings and replace them with something better, because features on the 34xx data sheet don't actually work and Dell doesn't care.

All that said, the Dell switches can sometimes be had on the very cheap (esp. if you buy a lot of computers at the same time) and you could do worse. For example, I'd rather somebody get a 34xx switch for a business than an unmanaged switch.