Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisc IDS/Linux exploits

As exploits come out that affect the Linux O/S that the Cisco IDS runs on, do you provide patches? Are we expected to patch the underlying operating system, or do you include that with the signature updates? I know the O/S that our RealSecure IDS systems run on have to be patched manually.


New Member

Re: Cisc IDS/Linux exploits

IDS based on redhat linux. As I understand signature updates include only new IDS signatures in other hand IDS servicepacks includes Linux OS upgrade also. Linux OS is COMPLETLY hidden from user.

New Member

Re: Cisc IDS/Linux exploits

It's easy to logon as root to the IDS... but I would be interested if the IDS servicepacks contain O/S patches.

Cisco Employee

Re: Cisc IDS/Linux exploits

With Cisco IDS the user should not attempt to apply their own patches.

The operating system has intentionally been blocked off from the user during normal operation of the sensor.

Users attempting to install their own security patches could inadvertantly compromise the security of the sensor, and could cause bugs in the IDS software. The underlying OS has been modified specifically for running the Cisco IDS, and applying patches from the web has been known to undo these modifications and cause major issues.

Only install updates that Cisco makes available through (or sent from a Cisco engineer when debugging an issue).

The only access to the underlying operating system is through the special "service" account, and should only be used under guidance by the attack.

The Signature Updates (filenames with -sig-) do not contain OS patches.

However, the Service Packs, Minor Updates, and Major Updates (filenames -sp-, -min-, -maj-) could (and have in the past) contained patches to both the IDS Software as well as the underlying OS.

When a new Linux vilnerability is announced the development team will verify whether or not the Cisco IDS is vulnerable.

Quite often the service being exploited has already been disabled on the sensor or configured to prevent network access in which case an immediate update of the sensor is not necessary as the sensor is not vulnerable to the attack.

In cases where the vulnerability has existed on the sensor, the service has usually already been locked down to only allow specifically user designated addresses to access the sensor (The permit host lines in the "setup" command). In these situations the exposure to the attack is minimals since the attack would have to come from an ip address that the user has to specifically allow access from. In this situation the security patch is delivered in the next service pack.

In rare cases (I don't think any have even happened), the sensor may be vulnerable from attack from any ip address. If this were to happen, the team would either send out an emergency service pack (similar to an emergency signature update that is released the same day as the attack), or a engineering patch while the service pack is in progress, or the steps the user may need to take until the service pack is available. Either way a notification should go out from Cisco to users on the Active Update Notification list (the email list where sig updates are announced), as well as post to this Forum.

CreatePlease login to create content