Re: Cisco IOS vulnerability

From: James Fields (jvfieldsat_private)
Date: Thu Jul 17 2003 - 13:32:11 PDT

Next message: Dave: "Strange 4 MB Emails"

Previous message: Darrell Kristof: "RE: Cisco IOS Denial of Service that affects most Cisco IOS routers- requires power cycle to recover"
In reply to: Gustavo Kruel: "Cisco IOS vulnerability"
Next in thread: Abraham, Antony (Cognizant): "RE: Cisco IOS vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The vulnerability is based on a sequence of some number of special
packets targeted *at* the router's interface (i.e., not packets that are
going to be routed *through*).

The packets do not use the normal IP protocols such as TCP/UDP/ICMP, but
something different.  So, first thing is that if you're only allowing
TCP, UDP, ICMP, and maybe IPSEC then you may be ok.  Even so, you should
also as part of your ACLs be dropping packets targeted directly AT your
router's interface address unless you know what they do and where they
are from.

On Thu, 2003-07-17 at 10:14, Gustavo Kruel wrote:
> Hi all.
> 
> I saw today the vulnerability alert on Cisco IOS. The workaround is to
> implement ACL?s that block packets from unknown sources directed to an
> exposed interface.
> 
> Thinking about a perimeter router, i have one router with a "tcp any any
> established" ACL. I also have ICMP opened in this same router, any -> any.
> Are this lines enough to make this interface vulnerable to the possible
> attack?
> 
> What do you think about it?
> 
> 
> ----------------------------------------------------------------------------
> Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
> world's premier technical IT security event! 10 tracks, 15 training sessions, 
> 1,800 delegates from 30 nations including all of the top experts, from CSO's to 
> "underground" security specialists.  See for yourself what the buzz is about!  
> Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
> ----------------------------------------------------------------------------
-- 
James V. Fields


----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------

Next message: Dave: "Strange 4 MB Emails"
Previous message: Darrell Kristof: "RE: Cisco IOS Denial of Service that affects most Cisco IOS routers- requires power cycle to recover"
In reply to: Gustavo Kruel: "Cisco IOS vulnerability"
Next in thread: Abraham, Antony (Cognizant): "RE: Cisco IOS vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 17 2003 - 22:18:05 PDT