Re: Cisco IOS vulnerability

wangw_at_singnet.com.sg
Date: 07/18/03

  • Next message: Quarantine: "RE: Cisco IOS vulnerability" 
    To: "Gustavo Kruel" <gkruel@openlink.com.br>, <incidents@securityfocus.com>
Date: Sat, 19 Jul 2003 01:08:13 +0800

    My understanding of the basic way cisco ACL works are: if your ACL is not
    empty, then any unmatched packet (with ACL list) will be dropped, like a
    default deny all. So in your case, the supposedly attack packets all use
    protocol 53, 55 etc, thus won't match anything in your ACL list, thus shall be
    dropped. So for this particular attack, it shall be OK (provided the ACL has
    applied to the external interface for external attacks).

    Any cisco expert has any comment / confirmation on this?

    GW

    On 17 Jul 2003 at 11:14, Gustavo Kruel wrote:

    Hi all.

    I saw today the vulnerability alert on Cisco IOS. The workaround is to
    implement ACL?s that block packets from unknown sources directed to an
    exposed interface.

    Thinking about a perimeter router, i have one router with a "tcp any any
    established" ACL. I also have ICMP opened in this same router, any -> any.
    Are this lines enough to make this interface vulnerable to the possible
    attack?

    What do you think about it?

    ----------------------------------------------------------------------------
    Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
    world's premier technical IT security event! 10 tracks, 15 training sessions,
    1,800 delegates from 30 nations including all of the top experts, from CSO's
    to
    "underground" security specialists. See for yourself what the buzz is about!
    Early-bird registration ends July 3. This event will sell out.
    www.blackhat.com
    ----------------------------------------------------------------------------

    ----------------------------------------------------------------------------
    Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
    world's premier technical IT security event! 10 tracks, 15 training sessions,
    1,800 delegates from 30 nations including all of the top experts, from CSO's to
    "underground" security specialists. See for yourself what the buzz is about!
    Early-bird registration ends July 3. This event will sell out. www.blackhat.com
    ----------------------------------------------------------------------------

  • Next message: Quarantine: "RE: Cisco IOS vulnerability"

    Relevant Pages

    • Re: TCP 3 Way Handshake
      ... You need to check the actual packets ... old fragmentation problem for another client. ... A "deny tcp src dst established" ACL ... no logg con! ...
      (comp.dcom.sys.cisco)
    • RE: DOS Attack?
      ... If you have "established" in your ACL, it will allow in any TCP ... traffic send only RST packets to get the traffic past an ACL... ... DoS attacks often rely on resource starvation, ... > external host is even able to contact the internal host to begin with. ...
      (Security-Basics)
    • Re: CBWFQ Cisco 2600s
      ... ACLS for stuff like permitting outside terminal server sessions, ... In this case I am using the ACL to match a range. ... routing processor avoiding any queing. ... QoS affects the order that packets are transmitted on the output ...
      (comp.dcom.sys.cisco)
    • RE: Cisco IOS vulnerability
      ... I've tried myself the undefinied ACL as "not of the others rule" but never ... I just looked this up to verify my memory, in Managing Cisco Network ... Security by Michael Wenstrom it says that undefined access list ... world's premier technical IT security event! ...
      (Incidents)
    • Re: ACL design.
      ... Filter out bad source addresses early (anti-spoofing) so you can ... With the use of the protocols and addresses identified, the infrastructure ACL can be built to permit the protocols and protect the addresses. ... Packets with a source address that fall under special-use address space, as defined in RFC 3330, must be denied. ...
      (Security-Basics)
    • Quantcast