Re: Code red II crashes cisco 678

From: bjarne bingo (kainat_private)
Date: Mon Aug 06 2001 - 11:19:42 PDT

  • Next message: Reverend Lola: "RE: worm atacking NTs vulnerables detected by NA 2K??"

    no effect on a cisco 677 running cbos 2.4.2(latest) - tried leaving the ping
    running for 10 minutes or so.
    
    
    ----- Original Message -----
    From: "Johnson, Michael" <Michael.Johnsonat_private>
    To: "'Vladimir Kraljevic'" <vladimir_kraljevicat_private>;
    <VULN-DEVat_private>
    Cc: "'Geo.'" <georgerat_private>
    Sent: Monday, August 06, 2001 7:44 PM
    Subject: RE: Code red II crashes cisco 678
    
    
    > Verified on a 677 also.
    >
    > -----Original Message-----
    > From: Vladimir Kraljevic [mailto:vladimir_kraljevicat_private]
    > Sent: Monday, August 06, 2001 11:55 AM
    > To: VULN-DEVat_private
    > Cc: 'Geo.'
    > Subject: RE: Code red II crashes cisco 678
    >
    >
    > I've had problems with Cisco 677 (please take a search for
    > 20000814172811.28516.qmailat_private).
    >
    > It was possible to smash the router (only power off helped) by issuing
    ICMP
    > echo with record route flag set (succeeded even with Win32 ping from
    command
    > line). Problem appeared after several echo requests of that type, not
    > immediately (try ping -t -r 8 <some.non.local.ip.address> and wait 2-3
    > minutes at most). However, I was not able (not enough time, as usual) to
    try
    > to craft fake ICMP response with recorded routes inside (maybe this allows
    > an DoS against complete families of Cisco 6xx routers).
    >
    > Maybe related.
    >
    > Vladimir
    >
    >
    > C:\>-----Original Message-----
    > C:\>From: Geo. [mailto:georgerat_private]
    > C:\>Sent: Monday, August 06, 2001 4:43
    > C:\>To: Russ; VULN-DEVat_private;
    > C:\>NTBUGTRAQat_private;
    > C:\>Discussion regarding Windows-related security vulnerabilities and
    > C:\>risks.; Marc Maiffret; securityat_private
    > C:\>Subject: Code red II crashes cisco 678
    > C:\>
    > C:\>
    > C:\>All day I've had customers calling with cisco 678 routers
    > C:\>running cbos 2.4.2
    > C:\>with the web interface disabled. Seems their routers have
    > C:\>been crashing.
    > C:\>
    > C:\>We traced this back to the code red worm. For some reason
    > C:\>even with web
    > C:\>disabled on these routers port 80 remains open. Simply
    > C:\>running a port scan
    > C:\>and cutting off the connection is enough to crash the
    > C:\>router. Locks up
    > C:\>solid.
    > C:\>
    > C:\>I also found a solution, by doing a
    > C:\>
    > C:\>set web remote ipaddress
    > C:\>
    > C:\>where ipaddress is one of their internal IP's you can
    > C:\>prevent outside
    > C:\>addresses from being able to crash the router.
    > C:\>
    > C:\>Just a heads up guys, if you are seeing 678's crashing,
    > C:\>give it a try, it's
    > C:\>working here.
    > C:\>
    > C:\>Geo.
    > C:\>
    > C:\>
    > C:\>
    > C:\>
    



    This archive was generated by hypermail 2b30 : Mon Aug 06 2001 - 12:48:06 PDT