RE: Cisco IOS vulnerability

From: Abraham, Antony (Cognizant) (Antony_at_blr.cognizant.com)
Date: 07/18/03

  • Next message: Quarantine: "RE: Cisco IOS vulnerability" 
    Date: Fri, 18 Jul 2003 12:31:30 +0530
To: <jvfields@tds.net>, <gkruel@openlink.com.br>

    You are vulnerable unless you have deny statement which blocks all
    packets other than say ICMP or IPSEC coming to the router interface
    which is connected to the Internet.

    Even though the packets targeted *at* the routers interface is only
    dangerous for that router, you can block all the dangerous packets
    *through* the router at your perimeter router which would avoid another
    router down the line getting attacked.

    Cisco has updated the security advisory and the same is available at

    http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml

    You can put lines like the one below given at the top of your existing
    access list. This is not going to affect your ICMP or TCP Established
    traffic.

    access-list 101 deny 53 any any
    access-list 101 deny 55 any any
    access-list 101 deny 77 any any
    access-list 101 deny 103 any any

    Thanks,

    Antony Abraham

    -----Original Message-----
    From: James Fields [mailto:jvfields@tds.net]
    Sent: Friday, July 18, 2003 2:02 AM
    To: gkruel@openlink.com.br
    Cc: incidents@securityfocus.com
    Subject: Re: Cisco IOS vulnerability

    The vulnerability is based on a sequence of some number of special
    packets targeted *at* the router's interface (i.e., not packets that are
    going to be routed *through*).

    The packets do not use the normal IP protocols such as TCP/UDP/ICMP, but
    something different. So, first thing is that if you're only allowing
    TCP, UDP, ICMP, and maybe IPSEC then you may be ok. Even so, you should
    also as part of your ACLs be dropping packets targeted directly AT your
    router's interface address unless you know what they do and where they
    are from.

    On Thu, 2003-07-17 at 10:14, Gustavo Kruel wrote:
    > Hi all.
    >
    > I saw today the vulnerability alert on Cisco IOS. The workaround is to
    > implement ACL?s that block packets from unknown sources directed to an
    > exposed interface.
    >
    > Thinking about a perimeter router, i have one router with a "tcp any
    any
    > established" ACL. I also have ICMP opened in this same router, any ->
    any.
    > Are this lines enough to make this interface vulnerable to the
    possible
    > attack?
    >
    > What do you think about it?
    >
    >
    >
    ------------------------------------------------------------------------ 

    ----
> Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas,
the 
> world's premier technical IT security event! 10 tracks, 15 training
sessions, 
> 1,800 delegates from 30 nations including all of the top experts, from
CSO's to 
> "underground" security specialists.  See for yourself what the buzz is
about!  
> Early-bird registration ends July 3.  This event will sell out.
www.blackhat.com
>
------------------------------------------------------------------------
----
-- 
James V. Fields
------------------------------------------------------------------------
----
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas,
the 
world's premier technical IT security event! 10 tracks, 15 training
sessions, 
1,800 delegates from 30 nations including all of the top experts, from
CSO's to 
"underground" security specialists.  See for yourself what the buzz is
about!  
Early-bird registration ends July 3.  This event will sell out.
www.blackhat.com
------------------------------------------------------------------------
----

    ----------------------------------------------------------------------------
    Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
    world's premier technical IT security event! 10 tracks, 15 training sessions,
    1,800 delegates from 30 nations including all of the top experts, from CSO's to
    "underground" security specialists. See for yourself what the buzz is about!
    Early-bird registration ends July 3. This event will sell out. www.blackhat.com
    ----------------------------------------------------------------------------

  • Next message: Quarantine: "RE: Cisco IOS vulnerability"

    Relevant Pages

    • Cisco 3640 NM-4E Westell ADSL Modem & Ambit Cable Modem/Router Half 1/2 Speed
      ... Below the configuration are my SH Interface and SH IP Interface ... deny tcp any any eq 135 ... IP fast switching on the same interface is disabled ... input packets with dribble condition detected ...
      (comp.dcom.sys.cisco)
    • Re: Smoothwall may not be forwarding port 80
      ... On the red interface is an adsl router. ... PORT STATE SERVICE ... dropping the packets, or that the forwarding does not work correctly. ...
      (comp.security.firewalls)
    • Re: Nmap questions concering my router
      ... It's a bit off topic - but down at the Ethernet level, the packets are ... so your router masquerades for you. ... it may differ from other applications - we just send data to a network ... >> the Ethernet header is the MAC address of the 10.0.0.138 interface. ...
      (comp.security.firewalls)
    • Re: adsl+sdsl+cable?
      ... Short answer: good luck:) ... Because the outgoing packets will always have the IP ... address associated with the originating interface, ... The server would see the router as the source ...
      (alt.os.linux.suse)
    • Re: Interface errors
      ... input packets with dribble condition detected ... 685 output errors, 846589 collisions, 2 interface resets ... Some idea of how busy the interface is supposed ... This indicates that the router has been ...
      (comp.dcom.sys.cisco)