Re: Cisco IOS EIGRP Network DoS
From: Damir Rajnovic (gaus@cisco.com)
Date: 12/19/02
- Previous message: Dmitry Guyvoronsky: "[Fix] Openwebmail 1.71 remote root compromise"
- Maybe in reply to: FX: "Cisco IOS EIGRP Network DoS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 19 Dec 2002 17:51:07 +0000 To: bugtraq@securityfocus.com, darklab@darklab.org From: Damir Rajnovic <gaus@cisco.com>
-----BEGIN PGP SIGNED MESSAGE-----
We can confirm the statement made by FX from Phenoelit in his message
"Cisco IOS EIGRP Network DoS" posted on 2002-Dec-19. The EIGRP
implementation in all versions of IOS is vulnerable to a denial of
service if it receives a flood of neighbor announcements. EIGRP is a
Ciscos' extension of IGP routing protocol used to propagate routing
information in internal network environments.
The workaround for this issue is to apply MD5 authentication that will
permit the receipt of EIGRP packets only from authorized hosts.
You can find an example of how to configure MD5 authentication for
EIGRP at the following URL (possibly wrapped):
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/
np1_c/1cprt1/1ceigrp.htm#xtocid18
If you are using EIGRP in the unicast mode then you can mitigate
this issue by placing appropriate ACL which will block all EIGRP
packets from illegitimate hosts. In the following example the
EIGRP neighbor has IP address of 10.0.0.2 and the local router
has address 10.0.0.1.
Router#config t
Router(config)#access-list 111 permit eigrp host 10.0.0.2 host 10.0.0.1
Router(config)#access-list 111 deny eigrp any host 10.0.0.1
The previous example will permit all EIGRP packet throughout the router
and into the rest of the network. If you want to block these packets
as well then use the following commands instead of the previous example:
Router#config t
Router(config)#access-list 111 permit eigrp host 10.0.0.2 host 10.0.0.1
Router(config)#access-list 111 deny eigrp any any
An ACL will not be effective if you are using the default multicast mode
of EIGRP neighbor discovery. However, multicast packets should not be
propagated through the Internet so an attacker must be on the same local
network segment as the target router in order to exploit this issue with
multicast advertisements.
The issue with EIGRP neighbor command FX is referring to is assigned
Cisco Bug ID CSCdv19648 and is visible to all registered users through
Cisco's Bug Toolkit at
http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl.
At the time of writing this notice Cisco PSIRT does not have a current
estimate on when the fix will be available.
Gaus
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.3
iQEVAwUBPgIFTw/VLJ+budTTAQE7yggAiDxmo8MFD9rULZAG1PKcnn0wfHungE1a
dMfLN1oUaW7LYaMv+PJYkCvSO4t8oJlmQE9MXV3Q9VgLu9FHQDul3tzpOXMCmRB9
19H0XThGXzj7hDUbOrqgYXgDKQucarXg6yZ0nIuxNhEkl4XsnDohaMIkH7ynV/mY
mQ2qIehPw6aus2plvGDKDYZVTbClHk1qjTWhL3AgFqbVH9zkOHppLF47kP/adRlh
GeloUfxwMAJP2w4/MXObHMr9ELY+8mku/Fi0IBMfnZtS/VprZQZuvYQQmov7uYMV
VkvCoI/mkjkJGlTZyxHGtIbQGelC/eub+r4SiCxtH6APiFWaYWnwVw==
=o5+g
-----END PGP SIGNATURE-----
==============
Damir Rajnovic <psirt@cisco.com>, PSIRT Incident Manager, Cisco Systems
<http://www.cisco.com/go/psirt> Telephone: +44 7715 546 033
200 Longwater Avenue, Green Park, Reading, Berkshire RG2 6GB, GB
==============
There is no insolvable problems.
The question is can you accept the solution?
- Next message: David Howe: "Re: Foundstone Research Labs Advisory - Multiple Exploitable Buffer Overflows in Winamp (fwd)"
- Previous message: Dmitry Guyvoronsky: "[Fix] Openwebmail 1.71 remote root compromise"
- Maybe in reply to: FX: "Cisco IOS EIGRP Network DoS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
