You can use any source and any destination, as long as you limit your protocols. The problem is caused by a "specially crafted sequence of IPv4 packets with protocol type 53 (SWIPE), 55 (IP Mobility), 77 (Sun ND), or 103 (Protocol Independent Multicast - PIM)." The sample ACL from the advisory: access-list 101 deny 53 any any access-list 101 deny 55 any any access-list 101 deny 77 any any access-list 101 deny 103 any any access-list 101 permit ip any any Matt -----Original Message----- From: David Gillett [mailto:gillettdavidat_private] Sent: Thursday, July 17, 2003 5:20 PM To: gkruelat_private; incidentsat_private Subject: RE: Cisco IOS vulnerability I don't think so. I think you're looking at ! BEGIN for each router-address permit ip host trusted host router-address ! times number of trusted ! source addresses/ranges deny ip any host router-address ! END for each router-address and then you apply this to each interface (or, if you already have an ACL on an interface, add this to it). So it's at least O(trusted addresses/ranges), and at worst O(trusted x router-addresses x router-interfaces). OUCH. Installing a fixed IOS release starts to look a whole lot less admin work, and without the possible performance hit. (Note that transiting packets, not addressed to the router itself, apparently cannot trigger this bug.) David Gillett > -----Original Message----- > From: Gustavo Kruel [mailto:gkruelat_private] > Sent: July 17, 2003 07:14 > To: incidentsat_private > Subject: Cisco IOS vulnerability > > > Hi all. > > I saw today the vulnerability alert on Cisco IOS. The workaround is to > implement ACL?s that block packets from unknown sources directed to an > exposed interface. > > Thinking about a perimeter router, i have one router with a > "tcp any any > established" ACL. I also have ICMP opened in this same > router, any -> any. > Are this lines enough to make this interface vulnerable to > the possible > attack? > > What do you think about it? > > > -------------------------------------------------------------- > -------------- > Attend the Black Hat Briefings & Training, July 28 - 31 in > Las Vegas, the > world's premier technical IT security event! 10 tracks, 15 > training sessions, > 1,800 delegates from 30 nations including all of the top > experts, from CSO's to > "underground" security specialists. See for yourself what > the buzz is about! > Early-bird registration ends July 3. This event will sell > out. www.blackhat.com > -------------------------------------------------------------- > -------------- > ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ---------------------------------------------------------------------------- ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri Jul 18 2003 - 10:50:39 PDT