The leak comprises chunks of IOS 12.3, the firm’s flagship router operating system, which is supported by almost 30 of Cisco’s hardware platforms. Cisco did not return calls for comment yesterday, but issued a statement saying it is investigating.
The story was first broken late Friday by SecurityLab.ru, a Russian security news site, and hit the English-speaking world over the weekend due to some machine-translations posted to various mailings lists on which reporters lurk.
According to SecurityLab.ru, the leak and a 2.5MB sampler were made to an internet relay chat channel hosted by EFnet, a provider of IRC services. EFnet’s IRC has a reputation as a place where underground communications happen.
For Cisco the leak is, at best, an embarrassment, coming just a couple of days after Cisco CEO John Chambers used his Networld + Interop keynote speech to reiterate his company’s focus on security, among other areas.
At worst, the leak gives bad guys more information to work from when seeking currently unpublished vulnerabilities that could be used against Cisco users. However, access to source code is not usually necessary for such work to be carried out successfully.
Microsoft Corp suffered a similar breach of source code security in February, when hundreds of megabytes of Windows 2000 and NT source code were acquired and released onto file-sharing networks.
In that case, the code was traced back to Mainsoft, a Microsoft partner, rather than from Microsoft’s own network. It’s still not clear whether Mainsoft had its systems cracked, of if the code was released in some other way.
In Microsoft’s case, there has been only one minor published vulnerability that seems to have been found as a result of the source code leak. Of course, the unpublished ones, for which no remedy is apparent, are more concerning.
As with Microsoft’s leak, the Cisco incident gains significance because of the router giant’s large share of the high-end router market, estimated by analysts such as Dell’Oro Group at almost two-thirds of the total.
Much as attacks against Microsoft platforms affect virtually every network attached to the internet, attacks against Cisco kit are often attacks against the internet itself.
