RE: Cisco IOS vulnerability

From: Paul Benedek (paul.benedekat_private)
Date: Thu Jul 17 2003 - 11:44:11 PDT

Next message: Jim Duncan: "Re: Cisco IOS Denial of Service that affects most Cisco IOS routers- requires power cycle to recover"

Previous message: Quarantine: "RE: Cisco IOS vulnerability"
In reply to: Gustavo Kruel: "Cisco IOS vulnerability"
Next in thread: David Gillett: "RE: Cisco IOS vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Gustavo,

There are several things that you may wish to consider.  The IOS advisory
states that it is IP packets in a certain order that can cause the denial of
service.  Although with the advisory, the risk of being attacked goes up, it
is unlikely that many will be affected by this issue.  For the sake of good
practice, consider the following.

On a perimeter router you should be implementing RFC1918 and RFC2827
filtering to preclude spoofing.  Another consideration would be the use of
ACL's that only allows access on the ports giving the services to your
customers.  Therefore if you are hosting a web site, maybe you only need
port 80 and 443 with all other ports denied.  If you do need to have ICMP
consider implementing CEF and CAR to rate limit incoming ICMP and UDP.
Although these security measures in themselves will not prevent the attack,
they will limit the potential for anybody to exploit the IOS weaknesses.  


Regards,

Paul Benedek
Director
Excis Networks Limited
http://www.excis.co.uk


-----Original Message-----
From: Gustavo Kruel [mailto:gkruelat_private] 
Sent: 17 July 2003 15:14
To: incidentsat_private
Subject: Cisco IOS vulnerability

Hi all.

I saw today the vulnerability alert on Cisco IOS. The workaround is to
implement ACL?s that block packets from unknown sources directed to an
exposed interface.

Thinking about a perimeter router, i have one router with a "tcp any any
established" ACL. I also have ICMP opened in this same router, any -> any.
Are this lines enough to make this interface vulnerable to the possible
attack?

What do you think about it?


----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training
sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's
to 
"underground" security specialists.  See for yourself what the buzz is
about!  
Early-bird registration ends July 3.  This event will sell out.
www.blackhat.com
----------------------------------------------------------------------------




----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------

Next message: Jim Duncan: "Re: Cisco IOS Denial of Service that affects most Cisco IOS routers- requires power cycle to recover"
Previous message: Quarantine: "RE: Cisco IOS vulnerability"
In reply to: Gustavo Kruel: "Cisco IOS vulnerability"
Next in thread: David Gillett: "RE: Cisco IOS vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 17 2003 - 22:08:40 PDT