CERT Advisory CA-2003-17 Exploit available for for the Cisco IOS Interface

From: CERT Advisory (cert-advisory_at_cert.org)
Date: 07/18/03

  • Next message: CERT Advisory: "CERT Advisory CA-2003-17 Exploit available for for the Cisco IOS Interface" 
    Date: Fri, 18 Jul 2003 10:29:30 -0400
To: cert-advisory@cert.org

    -----BEGIN PGP SIGNED MESSAGE-----

    CERT Advisory CA-2003-17 Exploit available for for the Cisco IOS Interface
    Blocked Vulnerabilities

       Original release date: July 18, 2003
       Last revised: --
       Source: CERT/CC

       A complete revision history can be found at the end of this file.

    Systems Affected

         * All Cisco devices running Cisco IOS software and configured to
           process Internet Protocol version 4 (IPv4) packets

    Overview

       An exploit has been posted publicly for the vulnerability described in
       VU#411332, which was announced in

       http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml

    I. Description

              An exploit has been posted publicly for VU#411332. This exploit
              allows an attacker to interrupt the normal operation of a
              vulnerable device. We believe it is likely that intruders will
              begin using this or other exploits to cause service outages.

              If you believe you have been the victim of intruder activity
              related to this vulnerability, we encourage you to report that
              activity to your local incident response team, if any, and to
              the CERT Coordination Center. Relevant artifacts or activity
              can be sent to cert@cert.org with "CERT#24229" in the subject
              line. If you are not able to communicate via electronic mail,
              contact CERT/CC by phone at the number listed at the bottom of
              this document.

              Many large service providers have already taken action or are
              in the midst of upgrading. However, if you have not already
              taken action, we strongly encourage you to review the advisory
              provided by Cisco and take action in accordance with your
              site's maintenance and change management procedures. Cisco's
              advisory can be found at

        http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml

              The CERT/CC will continue to provide information about this
              vulnerability through VU#411332.

              Any information regarding intruder activity related to this
              vulnerability will be posted to the CERT/CC Currect Activity
              page, available at

         http://www.cert.org/current/

    II. Impact

              By sending specially crafted IPv4 packets to an interface on a
              vulnerable device, an intruder can cause the device to stop
              processing packets destined to that interface. Quoting from
              Cisco's advisory:

         A device receiving these specifically crafted IPv4 packets will
         force the inbound interface to stop processing traffic. The device
         may stop processing packets destined to the router, including
         routing protocol packets and ARP packets. No alarms will be
         triggered, nor will the router reload to correct itself. This issue
         can affect all Cisco devices running Cisco IOS software. This
         vulnerability may be exercised repeatedly resulting in loss of
         availability until a workaround has been applied or the device has
         been upgraded to a fixed version of code.

    III. Solution

    Apply a patch from Cisco

              Upgrade as described in Cisco's Advisory.

    Restrict access

              Until a patch can be applied, you can mitigate the risks
              presented by this vulnerability by judicious use of access
              control lists (ACLs). The correct use of ACLs depends on your
              network topology. Additionally, ACLs may degrade performance on
              some systems. We recommend reviewing the following before
              applying ACLs:

    http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml#workarounds
    http://www.cisco.com/warp/public/707/racl.html
    http://www.cisco.com/warp/public/707/iacl.html
                __________________________________________________________

              The CERT Coordination Center thanks Cisco Systems for notifying
              us about this problem and for helping us to construct this
              advisory.
                __________________________________________________________

              Authors: Shawn Hernan and Martin Lindner
              _______________________________________________________________

              This document is available from:
              http://www.cert.org/advisories/CA-2003-17.html
              _______________________________________________________________

    CERT/CC Contact Information

            Email: cert@cert.org
                    Phone: +1 412-268-7090 (24-hour hotline)
                    Fax: +1 412-268-6989
                    Postal address:
                    CERT Coordination Center
                    Software Engineering Institute
                    Carnegie Mellon University
                    Pittsburgh PA 15213-3890
                    U.S.A.

              CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
              EDT(GMT-4) Monday through Friday; they are on call for
              emergencies during other hours, on U.S. holidays, and on
              weekends.

    Using encryption

              We strongly urge you to encrypt sensitive information sent by
              email. Our public PGP key is available from

            http://www.cert.org/CERT_PGP.key

              If you prefer to use DES, please call the CERT hotline for more
              information.

    Getting security information

              CERT publications and other security information are available
              from our web site

            http://www.cert.org/

              To subscribe to the CERT mailing list for advisories and
              bulletins, send email to majordomo@cert.org. Please include in
              the body of your message
              subscribe cert-advisory

              * "CERT" and "CERT Coordination Center" are registered in the
              U.S. Patent and Trademark Office.
              _______________________________________________________________

              NO WARRANTY
              Any material furnished by Carnegie Mellon University and the
              Software Engineering Institute is furnished on an "as is"
              basis. Carnegie Mellon University makes no warranties of any
              kind, either expressed or implied as to any matter including,
              but not limited to, warranty of fitness for a particular
              purpose or merchantability, exclusivity or results obtained
              from use of the material. Carnegie Mellon University does not
              make any warranty of any kind with respect to freedom from
              patent, trademark, or copyright infringement.
                __________________________________________________________

              Conditions for use, disclaimers, and sponsorship information

              Copyright 2003 Carnegie Mellon University.

              Revision History

    July 18, 2003: Initial release

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 6.5.8

    iQCVAwUBPxgDAGjtSoHZUTs5AQEY6AQA0hYldKCx/AR+SnYaZG5zJ6lHQp4zL9hs
    NasNnBnRLW/xqslHBfnjt73pl47cEbZwgVb6B+jjngWHKKRJ2HN8NDijDxkmFvWw
    QIOflS1neDMTbpuFwbT/KFBUMOR3eXYumlLCa8m2NbxCxt3aaBBZeXrOxGoUEp3L
    nIbMK+mHKxY=
    =0maj
    -----END PGP SIGNATURE-----

  • Next message: CERT Advisory: "CERT Advisory CA-2003-17 Exploit available for for the Cisco IOS Interface"

    Relevant Pages