Re: Cisco CSS 11000 Series DoS

From: Mike Caudill (mcaudill_at_cisco.com)
Date: 08/08/03

Next message: FX: "Cisco IOS HTTP remote exploit"

Previous message: Zee: "Remote denial of service vulnerability in Meteor FTP Version 1.5"
In reply to: S21SEC: "Cisco CSS 11000 Series DoS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: vul-serv@s21seccom.s21sec.com (S21SEC)
Date: Fri, 8 Aug 2003 13:51:40 -0400 (EDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is to acknowledge your postings regarding a Denial of Service
vulnerability in the Cisco CSS 11000 platforms located at:

Vulnwatch list:
http://lists.insecure.org/lists/vulnwatch/2003/Jul-Sep/0073.html

BUGTRAQ:
http://www.securityfocus.com/archive/1/332284/2003-08-05/2003-08-11/0

The Cisco PSIRT is investigating the issue further. Once we have verified
details surrounding this problem, we will post a response to both forums
with more information regarding fixed software versions and applicable
workarounds which can be used to mitigate the problem.

Thanks.

- -Mike-

> ###############################################################
> ID: S21SEC-025-en
> Title: Cisco CSS 11000 Series DoS
> Date: 04/07/2003
> Status: Solution available
> Scope: Interruption of service, high CPU load.
> Platforms: All/Chassis CS800.
> Author: ecruz, egarcia, jandre
> Location: http://www.s21sec.com/en/avisos/s21sec-025-en.txt
> Release: External
> ###############################################################
>
> S 2 1 S E C
>
> http://www.s21sec.com
>
> Cisco CSS 11000 Series Denial of service
>
> Description of vulnerability
> ----------------------------
>
> A heavy storm of TCP SYN packets directed to the circuit address of the
> CSS
> can cause DoS on it, high cpu load or even sudden reboots.
>
> The issue is known by cisco as the ONDM Ping failure (CSCdz00787). On the
> CS800 chassis the
> system controller module (SCM) sends ONDM (online diagnostics monitor)
> pings to each SFP card
> in order to see if they are alive, if the SCM doesn't get a response in
> about 30 seconds the
> SCM will reboot the CS800 and there will be no core.
>
> By attacking the circuit IP address of the CSS with SYN packets the
> traffic is sent up to the SCM
> over the internal MADLAN ethernet interface. If this internal interface
> becomes overloaded
> the ONDM ping request and response traffic can be dropped leading this to
> an internal DoS
> since no internal comunications are available.
>
> Any attacker could do this externally with a few sessions of NMAP and a
> cable/ADSL internet
> connection.
>
> Affected Versions and platforms
> -------------------------------
>
> This vulnerability affects the models 11800, 11150 and 11050 with chassis
> CS800.
>
> Solution
> --------
>
> Upgrade to software release WebNS 5.00.110s or above.
> http://www.cisco.com/en/US/products/hw/contnetw/ps789/prod_release_note0918
> 6a008014ee04.html
>
> AcL's to protect the circuit address are recomended.
>
> Additional information
> ----------------------
>
> These vulnerabilities have been found and researched by:
>
> Eduardo Cruz ecruz@s21sec.com
> Emilin Garcia egarcia@s21sec.com
> Jordi Andre jandre@s21sec.com
>
> You can find the last version of this warning in:
>
> http://www.s21sec.com/en/avisos/s21sec-025-en.txt
>
> And other S21SEC warnings in http://www.s21sec.com/en/avisos/

- --
- ----------------------------------------------------------------------------
| || || | Mike Caudill | mcaudill@cisco.com |
| || || | PSIRT Incident Manager | 919.392.2855 |
| |||| |||| | DSS PGP: 0xEBBD5271 | 919.522.4931 (cell)|
| ..:||||||:..:||||||:.. | RSA PGP: 0xF482F607 ---------------------|
| C i s c o S y s t e m s | http://www.cisco.com/go/psirt |
- ----------------------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2

iQA/AwUBPzPjG4pjyUnrvVJxEQJNOwCfR7b6rjXNpcAmbgXue5pk6t6+PDEAoO4n
vZpl/lFWudgREMq98AwDGbFq
=DY/N
-----END PGP SIGNATURE-----

Next message: FX: "Cisco IOS HTTP remote exploit"

Previous message: Zee: "Remote denial of service vulnerability in Meteor FTP Version 1.5"
In reply to: S21SEC: "Cisco CSS 11000 Series DoS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: [VulnWatch] Cisco CSS 11000 Series DoS
... vulnerability in the Cisco CSS 11000 platforms located at: ... Cisco CSS 11000 Series DoS ... > SCM will reboot the CS800 and there will be no core. ... > cable/ADSL internet ...
(VulnWatch)
[NT] Vulnerability in Server Service Could Allow Remote Code Execution (MS06-035)
... Vulnerability in Server Service Could Allow Remote Code Execution ... Firewall best practices and standard default firewall configurations ... This port is used to initiate a connection with the affected component. ... Internet to help prevent attacks that may use other ports. ...
(Securiteam)
[NT] Vulnerability in the Indexing Service Allows Remote Code Execution (MS05-003)
... Get your security news from a reliable source. ... A remote code execution vulnerability exists in the Indexing Service ... connected to the Internet have a minimal number of ports exposed. ...
(Securiteam)
[NT] Web Client Service Remote Code Execution (MS06-008)
... A remote code execution vulnerability exists in the way that Windows ... the Web Client service is disabled in Windows Server 2003 ... connected to the Internet have a minimal number of ports exposed. ...
(Securiteam)
[Full-disclosure] Advisory: Internet Explorer Drag and Drop Redeux [CVE-2005-3240] (fwd)
... nature of this vulnerability, I would like to thank Brian Schafer of the ... SecurityFocus has also ... current installations of Windows 2000 and Windows XP. ... Microsoft Internet Explorer Drag-and-Drop Redeux ...
(Full-Disclosure)