The Cisco Global Exploiter attack tool exploits twelve previously disclosed software vulnerabilities to allow an attacker to compromise Cisco Catalysts switches, CiscoSecure ACS and some systems running Cisco's Internetwork Operating System (IOS).
The toolkit, posted to a French-language computer security exploit web site on March 28 by an Italian group calling itself BlackAngel, provides users with an array of hacking choices aimed at Cisco products. Most of the exploits only allow attackers to shut down affected Cisco routers and switches through denial of service (DoS) attacks. However, one of the exploits allows remote attackers to run malicious code on an affected system without requiring a username or
Cisco has advised users to patch the software vulnerabilities that are exploited by Cisco Global Exploiter. The twelve vulnerabilities are not new, and patches have been available for some time. If the appropriate patches have not been installed, it is important that administrators and users do so immediately. The release of the toolkit could create a flood of attacks as script kiddies and others begin using the automated attacks to exploit unpatched systems.
The twelve vulnerabilities, some of which were discovered as far back as 2000, are:
- Cisco 677/678 Telnet Buffer Overflow (Alert 3848)
- IOS Router Denial of Service (Alert 1325)
- IOS HTTP Authentication Vulnerability (Alert 2377)
- IOS HTTP Configuration Arbitrary Administrative Access (Alert 2377)
- Catalyst SSH Protocol Mismatch Denial of Service (Alert 1571)
- 675 Web Administration Denial of Service (Alert 2589)
- Catalyst 3500 XL Remote Arbitrary Command (Alert 1327)
- IOS Software HTTP Request Denial of Service (Alert 1325)
- 514 UDP Flood Denial of Service (Alert 2875)
- Cisco CiscoSecure ACS Multiple Vulnerabilities (Alert 1133)
- Cisco CatOS HTTP Server Buffer Overflow Vulnerability (TruSecure
- Cisco Catalyst Switch Denial Of Service Vulnerability (Alert 1529)
Cisco has compiled and released patches and workarounds for the first ten vulnerabilities listed above at the following link: Cisco. Patches for the last two vulnerabilities can be found in the corresponding Alerts. A company spokesperson said the company was unaware of any active attacks on the vulnerabilities.
All of the vulnerabilities that can be exploited by this new toolkit were identified between October 26, 2000 and May 24, 2002. It is unlikely that any affected
products will be still be in use in an unpatched state on the perimeter. Organizations which utilize these products may want to consider reviewing software levels on the products used internally or in lab conditions.