Hey, thanks for all the answers! It seems to me that implementing a best practice ACL filtering on internet border routers would be enough to avoid the problem (at least from the dark "outside"). Although i seriously agree with the need for upgrade. In my other email, i have only shown those lines that allowed traffic directly TO the interface. That router?s ACL have anti-spoof denies, and only allow traffic through the router to specific servers and services. Everything else, besides the specific traffic, icmp and established packets, is dropped. In some versions of the advisory, the details section doesn?t show the info about the protocols. To find it, you need to go to: http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml. Best regards! -----Mensagem original----- De: Eugene Borukhovich [mailto:eugenebat_private] Enviada em: quinta-feira, 17 de julho de 2003 23:18 Para: gkruelat_private; incidentsat_private Assunto: RE: Cisco IOS vulnerability The key is to block the protocols specified: deny 53 any any deny 55 any any deny 77 any any then you can allow what you need to allow. -----Original Message----- From: Gustavo Kruel [mailto:gkruelat_private] Sent: Thursday, July 17, 2003 10:14 AM To: incidentsat_private Subject: Cisco IOS vulnerability Hi all. I saw today the vulnerability alert on Cisco IOS. The workaround is to implement ACL?s that block packets from unknown sources directed to an exposed interface. Thinking about a perimeter router, i have one router with a "tcp any any established" ACL. I also have ICMP opened in this same router, any -> any. Are this lines enough to make this interface vulnerable to the possible attack? What do you think about it? ------------------------------------------------------------------------ ---- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ------------------------------------------------------------------------ ---- ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri Jul 18 2003 - 11:23:52 PDT