Re: Cisco IOS vulnerability

From: wangwat_private
Date: Fri Jul 18 2003 - 10:08:13 PDT

Next message: Quarantine: "RE: Cisco IOS vulnerability"

Previous message: Barry Irwin: "Re: Cisco IOS Denial of Service that affects most Cisco IOS routers- requires power cycle to recover"
In reply to: Gustavo Kruel: "Cisco IOS vulnerability"
Next in thread: james: "Re: Cisco IOS vulnerability"
Next in thread: Quarantine: "RE: Cisco IOS vulnerability"
Reply: james: "Re: Cisco IOS vulnerability"
Reply: Jeff Kell: "Re: Cisco IOS vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

My understanding of the basic way cisco ACL works are: if your ACL is not 
empty, then any unmatched packet (with ACL list) will be dropped, like a 
default deny all. So in your case, the supposedly attack packets all use 
protocol 53, 55 etc, thus won't match anything in your ACL list, thus shall be 
dropped. So for this particular attack, it shall be OK (provided the ACL has 
applied to the external interface for external attacks).

Any cisco expert has any comment / confirmation on this?

GW

On 17 Jul 2003 at 11:14, Gustavo Kruel wrote:

Hi all.

I saw today the vulnerability alert on Cisco IOS. The workaround is to
implement ACL?s that block packets from unknown sources directed to an
exposed interface.

Thinking about a perimeter router, i have one router with a "tcp any any
established" ACL. I also have ICMP opened in this same router, any -> any.
Are this lines enough to make this interface vulnerable to the possible
attack?

What do you think about it?


----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's 
to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. 
www.blackhat.com
----------------------------------------------------------------------------



----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------

Next message: Quarantine: "RE: Cisco IOS vulnerability"
Previous message: Barry Irwin: "Re: Cisco IOS Denial of Service that affects most Cisco IOS routers- requires power cycle to recover"
In reply to: Gustavo Kruel: "Cisco IOS vulnerability"
Next in thread: james: "Re: Cisco IOS vulnerability"
Next in thread: Quarantine: "RE: Cisco IOS vulnerability"
Reply: james: "Re: Cisco IOS vulnerability"
Reply: Jeff Kell: "Re: Cisco IOS vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jul 18 2003 - 11:03:16 PDT