RE: Cisco IOS vulnerability

From: David Gillett (gillettdavidat_private)
Date: Thu Jul 17 2003 - 14:19:46 PDT

Next message: Darrell Kristof: "RE: Cisco IOS Denial of Service that affects most Cisco IOS routers- requires power cycle to recover"

Previous message: Jim Duncan: "Re: Cisco IOS Denial of Service that affects most Cisco IOS routers- requires power cycle to recover"
In reply to: Gustavo Kruel: "Cisco IOS vulnerability"
Next in thread: James Fields: "Re: Cisco IOS vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

  I don't think so.  I think you're looking at

! BEGIN for each router-address
permit ip host trusted host router-address ! times number of trusted
                                           ! source addresses/ranges
deny ip any host router-address
! END for each router-address

and then you apply this to each interface (or, if you already have
an ACL on an interface, add this to it).

  So it's at least O(trusted addresses/ranges), and at worst
O(trusted x router-addresses x router-interfaces).  OUCH.

  Installing a fixed IOS release starts to look a whole lot less admin 
work, and without the possible performance hit.

(Note that transiting packets, not addressed to the router itself,
apparently cannot trigger this bug.)

David Gillett


> -----Original Message-----
> From: Gustavo Kruel [mailto:gkruelat_private]
> Sent: July 17, 2003 07:14
> To: incidentsat_private
> Subject: Cisco IOS vulnerability
> 
> 
> Hi all.
> 
> I saw today the vulnerability alert on Cisco IOS. The workaround is to
> implement ACL?s that block packets from unknown sources directed to an
> exposed interface.
> 
> Thinking about a perimeter router, i have one router with a 
> "tcp any any
> established" ACL. I also have ICMP opened in this same 
> router, any -> any.
> Are this lines enough to make this interface vulnerable to 
> the possible
> attack?
> 
> What do you think about it?
> 
> 
> --------------------------------------------------------------
> --------------
> Attend the Black Hat Briefings & Training, July 28 - 31 in 
> Las Vegas, the 
> world's premier technical IT security event! 10 tracks, 15 
> training sessions, 
> 1,800 delegates from 30 nations including all of the top 
> experts, from CSO's to 
> "underground" security specialists.  See for yourself what 
> the buzz is about!  
> Early-bird registration ends July 3.  This event will sell 
> out. www.blackhat.com
> --------------------------------------------------------------
> --------------
> 

----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------

Next message: Darrell Kristof: "RE: Cisco IOS Denial of Service that affects most Cisco IOS routers- requires power cycle to recover"
Previous message: Jim Duncan: "Re: Cisco IOS Denial of Service that affects most Cisco IOS routers- requires power cycle to recover"
In reply to: Gustavo Kruel: "Cisco IOS vulnerability"
Next in thread: James Fields: "Re: Cisco IOS vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 17 2003 - 22:12:33 PDT