Friday, February 09, 2007

Cisco IOS Display Bug

Last night, while logged into a router deployed at the network edge, I noticed an uninvited guest:

br02#sh users
Line User Host(s) Idle Location
1 vty 0 idle 00:00:01 201.63.40.18
2 vty 1 root idle 00:00:02 201.63.40.18

What's this, a root login to a Cisco router? I was pretty sure a root login did not exist in our AAA server, but I checked the tacacs log just to verify. No unauthorized logins there. Where is this login coming from?:

whois 201.63.40.18 [Querying whois.lacnic.net] [Redirected to whois.registro.br]
inetnum: 201.63.40.16/29
aut-num: AS10429
abuse-c: STE21
owner: Acoplast Indústria e Comércio Ltda
ownerid: 061.344.578/0001-50
responsible: Josiel Augusto Morosi
owner-c: JAM651
tech-c: JAM651
created: 20060830
changed: 20060830
inetnum-up: 201.63/16

nic-hdl-br: JAM651
person: JOSIEL AUGUSTO MOROSI
e-mail: josiel@acoplast.com.br

We definitely don't have any engineers in Brazil. Could this be a covert channel or an exploit of a recent bug?

I quickly opened a case, and received the following response:

A display bug exists in earlier versions of IOS where a user connecting to the ssh or telnet port will display as logged in while connected even if they have not sucessfully authenticated. You can if this is the case on your device if you enter a login and not authenticate sucessfully then do a "show user". This should display you "rouge" connection as a connected user.

I am not currently aware of a BugID for this issue.


As these are most likely brute-force attempts, an access-list applied to the VTY lines should mitigate them. Were the crackers in Brazil restless last night?

No comments: