-----BEGIN PGP SIGNED MESSAGE----- We can confirm the statement made by FX from Phenoelit in his message "Cisco IOS EIGRP Network DoS" posted on 2002-Dec-19. The EIGRP implementation in all versions of IOS is vulnerable to a denial of service if it receives a flood of neighbor announcements. EIGRP is a Ciscos' extension of IGP routing protocol used to propagate routing information in internal network environments. The workaround for this issue is to apply MD5 authentication that will permit the receipt of EIGRP packets only from authorized hosts. You can find an example of how to configure MD5 authentication for EIGRP at the following URL (possibly wrapped): http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/ np1_c/1cprt1/1ceigrp.htm#xtocid18 If you are using EIGRP in the unicast mode then you can mitigate this issue by placing appropriate ACL which will block all EIGRP packets from illegitimate hosts. In the following example the EIGRP neighbor has IP address of 10.0.0.2 and the local router has address 10.0.0.1. Router#config t Router(config)#access-list 111 permit eigrp host 10.0.0.2 host 10.0.0.1 Router(config)#access-list 111 deny eigrp any host 10.0.0.1 The previous example will permit all EIGRP packet throughout the router and into the rest of the network. If you want to block these packets as well then use the following commands instead of the previous example: Router#config t Router(config)#access-list 111 permit eigrp host 10.0.0.2 host 10.0.0.1 Router(config)#access-list 111 deny eigrp any any An ACL will not be effective if you are using the default multicast mode of EIGRP neighbor discovery. However, multicast packets should not be propagated through the Internet so an attacker must be on the same local network segment as the target router in order to exploit this issue with multicast advertisements. The issue with EIGRP neighbor command FX is referring to is assigned Cisco Bug ID CSCdv19648 and is visible to all registered users through Cisco's Bug Toolkit at http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl. At the time of writing this notice Cisco PSIRT does not have a current estimate on when the fix will be available. Gaus -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.3 iQEVAwUBPgIFTw/VLJ+budTTAQE7yggAiDxmo8MFD9rULZAG1PKcnn0wfHungE1a dMfLN1oUaW7LYaMv+PJYkCvSO4t8oJlmQE9MXV3Q9VgLu9FHQDul3tzpOXMCmRB9 19H0XThGXzj7hDUbOrqgYXgDKQucarXg6yZ0nIuxNhEkl4XsnDohaMIkH7ynV/mY mQ2qIehPw6aus2plvGDKDYZVTbClHk1qjTWhL3AgFqbVH9zkOHppLF47kP/adRlh GeloUfxwMAJP2w4/MXObHMr9ELY+8mku/Fi0IBMfnZtS/VprZQZuvYQQmov7uYMV VkvCoI/mkjkJGlTZyxHGtIbQGelC/eub+r4SiCxtH6APiFWaYWnwVw== =o5+g -----END PGP SIGNATURE----- ============== Damir Rajnovic <psirtat_private>, PSIRT Incident Manager, Cisco Systems <http://www.cisco.com/go/psirt> Telephone: +44 7715 546 033 200 Longwater Avenue, Green Park, Reading, Berkshire RG2 6GB, GB ============== There is no insolvable problems. The question is can you accept the solution?
This archive was generated by hypermail 2b30 : Thu Dec 19 2002 - 19:24:54 PST