On Fri, 24 Aug 2001, Cisco Systems Product Security Incident Response Team wrote: > There is no specific workaround for each of these vulnerabilities; however, > a workaround exists which has proven a reasonable defense for the CodeRed > Worm attack. It is advisable to disable web management on port 80, by > setting the web management port to some number greater than 1024, with the > following command, replacing the text "number_greater-than_1024" with an > actual number. > set web port number_greater-than_1024 This will not fix the root problem, but will fix some of the symptoms (the CodeRed issue). Even with the web port bound to a port > 1024, a simple nmap scan will reveal it's real location and allow a malicous user - without much effort - to disable the router temporarily (until reboot). The fix I'm recommending to my customers (each of these filter lines should be one line - it will wrap in the following example): set filter 0 on deny incoming ANY 0.0.0.0 0.0.0.0 <router IP> 255.255.255.255 protocol TCP srcport 0-65535 destport 23-23 set filter 1 on deny incoming ANY 0.0.0.0 0.0.0.0 <router IP> 255.255.255.255 protocol TCP srcport 0-65535 destport 80-80 set filter 19 on accept incoming ANY 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 set filter 20 on accept outgoing ANY 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 Note that you MUST use the serial port to configure it. Also note that this disables telnet or HTTP remote administration - you'll need to use the serial port. Finually, please note that there is a documentation "glitch" in the 600 series routers, at least on Cisco 678s running CBOS 2.4.1. It is as follows: cbos#help filter examples CBOS Help System ------------------------------------- COMMAND: set filter TOPIC: example The first example shows how to block all incoming web access: cbos#set filter 0 on deny incoming all 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 protocol TCP srcport 1-65535 destport 80-80 The second example shows how to block all incoming telnet access from the 192.168.0.0 network: cbos#set filter 1 on deny incoming all 192.168.0.0 255.255.255.0 0.0.0.0 0.0.0.0 protocol TCP srcport 1-65535 destport 23-23 The third example shows how to accept telnet access from the host 192.168.0.25: cbos#set filter 2 on allow incoming all 192.168.0.25 255.255.255.255 0.0.0.0 0.0.0.0 protocol TCP srcport 23-23 The fourth example shows how to block all incoming ftp access on The third example shows how to accept telnet access from the host 192.168.0.25: cbos#set filter 2 on allow incoming all 192.168.0.25 255.255.255.255 0.0.0.0 0.0.0.0 protocol TCP srcport 23-23 The fourth example shows how to block all incoming ftp access on wan port wan0-1: cbos#set filter 3 on deny incoming wan0-1 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 protocol TCP srcport 1-65535 destport 21-21 The fifth example shows how to turn off the first filter: cbos#set filter 0 off Examples #1, #2, and #3 are simply wrong. If you want to enclude all possible TCP ports, you should use "srcport 0-65535", not "srcport 1-65535". I wonder how many vulnerable filter installations there are simply because the user followed the instructions... -- Joel Maslak Antelope Enterprises
This archive was generated by hypermail 2b30 : Fri Aug 24 2001 - 14:25:14 PDT