Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Re: CERT Advisory CA-2003-15 Cisco IOS Interface Blocked by IPv4 Packet

Reply
Thread Tools

Re: CERT Advisory CA-2003-15 Cisco IOS Interface Blocked by IPv4 Packet

 
 
Alan Lee
Guest
Posts: n/a
 
      07-17-2003
Anybody read the latest advisory from CERT?


 
Reply With Quote
 
 
 
 
James black
Guest
Posts: n/a
 
      07-17-2003
"Alan Lee" <(E-Mail Removed)> wrote in message news:<3f1631be$(E-Mail Removed)>...
> Anybody read the latest advisory from CERT?

I've read the advisory. It doesn't sound like cisco really has it
fixed, their site indicates that the workaround only permits an
affected router to be reloaded by adding a new value called
hold-queue.

see below from http://www.cisco.com/en/US/products/...801a34c2.shtml

Workarounds
AFTER APPLYING THE WORKAROUND the input queue depth may be raised with
the hold-queue <new value> in interface command -- the default size is
75. This will allow traffic flow on the interface until the device can
be reloaded.
 
Reply With Quote
 
 
 
 
Stephen Evans
Guest
Posts: n/a
 
      07-17-2003
I have, i know Globix are scheduling IOS updates this evening to stop
the possibilty am sure this board is quiet because every one is off
TFTPing images all day, much like my self.

"Alan Lee" <(E-Mail Removed)> wrote in message news:<3f1631be$(E-Mail Removed)>...
> Anybody read the latest advisory from CERT?

 
Reply With Quote
 
Bill F
Guest
Posts: n/a
 
      07-17-2003
I just did. It's a bit ambiguous in it's description. "...rare sequence
of crafted IPv4 packets.." Couldn't they be more specific? Will a pix
or IDS system block such an attack? It seems as though this is a risk
to perimeter devices only. Is there really any need to be concerned
with internal devices, i.e. privately addressed devices behind a firewall?

I also find it interesting that there are images with a fix that
pre-date this advisory. Was it a known bug that was just discovered to
be a security risk? The advisory says there are no known exploitations
of the vulnerability.

Alan Lee wrote:
> Anybody read the latest advisory from CERT?
>
>


 
Reply With Quote
 
Chris
Guest
Posts: n/a
 
      07-17-2003

"Alan Lee" <(E-Mail Removed)> wrote in message
news:3f1631be$(E-Mail Removed)...
> Anybody read the latest advisory from CERT?
>


Hmmm .... downloads from Cisco were running quite slow today. Looks like my
trusty TFTP server will be working some overtime along with me



 
Reply With Quote
 
Steve Himebaugh
Guest
Posts: n/a
 
      07-17-2003
Also what is ambiguous is the phrase "sent directly to the device".
What type of packets are sent directly to a device? I would say that
device management protocols such as telnet and SNMP go directly to the
router. But are packets routed by a router considered being sent
directly to the device? And what type of packets would be classified
as being indirectly sent to an IOS device?

Bill F <(E-Mail Removed)> wrote in message news:<(E-Mail Removed)>...
> I just did. It's a bit ambiguous in it's description. "...rare sequence
> of crafted IPv4 packets.." Couldn't they be more specific? Will a pix
> or IDS system block such an attack? It seems as though this is a risk
> to perimeter devices only. Is there really any need to be concerned
> with internal devices, i.e. privately addressed devices behind a firewall?
>
> I also find it interesting that there are images with a fix that
> pre-date this advisory. Was it a known bug that was just discovered to
> be a security risk? The advisory says there are no known exploitations
> of the vulnerability.
>
> Alan Lee wrote:
> > Anybody read the latest advisory from CERT?
> >
> >

 
Reply With Quote
 
Barry Margolin
Guest
Posts: n/a
 
      07-17-2003
In article <(E-Mail Removed) >,
Steve Himebaugh <(E-Mail Removed)> wrote:
>Also what is ambiguous is the phrase "sent directly to the device".
>What type of packets are sent directly to a device? I would say that
>device management protocols such as telnet and SNMP go directly to the
>router. But are packets routed by a router considered being sent
>directly to the device? And what type of packets would be classified
>as being indirectly sent to an IOS device?


I interpret that as meaning "whose destination address is the device". And
in this case, the types of packets that would be sent directly to the
device are the carefully-crafted packets from someone trying to make the
router fail. All he has to do is look at a traceroute to find the
addresses of lots of routers, and then send exploit packets to them.

--
Barry Margolin, http://www.velocityreviews.com/forums/(E-Mail Removed)
Level(3), Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.
 
Reply With Quote
 
David Wolfenbarger
Guest
Posts: n/a
 
      07-18-2003
The internal threat assessment is really up to you. My concern, depending on
the size of your infrastructure, is that once more public information becomes
available this exploit could then be designed as some type of worm. As a
result any laptop that enters your company, such as a contractor or mobile
user, could unknowingly cause you serious grief.


David Wolfenbarger
----------
Bill F <(E-Mail Removed)> wrote...

> I just did. It's a bit ambiguous in it's description. "...rare sequence
> of crafted IPv4 packets.." Couldn't they be more specific? Will a pix
> or IDS system block such an attack? It seems as though this is a risk
> to perimeter devices only. Is there really any need to be concerned
> with internal devices, i.e. privately addressed devices behind a firewall?
>
> I also find it interesting that there are images with a fix that
> pre-date this advisory. Was it a known bug that was just discovered to
> be a security risk? The advisory says there are no known exploitations
> of the vulnerability.
>
> Alan Lee wrote:
> > Anybody read the latest advisory from CERT?
> >
> >

>


 
Reply With Quote
 
Dave Phelps
Guest
Posts: n/a
 
      07-18-2003
In article <(E-Mail Removed)>, (E-Mail Removed) says...
> I also find it interesting that there are images with a fix that
> pre-date this advisory. Was it a known bug that was just discovered to
> be a security risk? The advisory says there are no known exploitations
> of the vulnerability.
>
>

Why is that suprising? Most vendors, including Cisco, are aware of bugs/issues prior to
the formal announcement. This gives them time to develop resolutions before the
information becomes common knowledge. The alternative, vendors announcing the problem
without patches available, would be much worse.

Less common is the attack that is discovered and exploited by a cracker prior to a
vendor's knowledge of the vulnerability.

--
Dave Phelps
DD Networks
www.ddnets.com
deadspam=tippenring
 
Reply With Quote
 
CybrSage
Guest
Posts: n/a
 
      07-18-2003
If you read cisco's advisory, you will see there are many versions of IOS
that are not able to be exploited by this. All the 12.3 IOSs are safe.

Directly sent to device means using the devices IP address, such as if you
wanted to telnet into the router via the Internet to configure it.

"Alan Lee" <(E-Mail Removed)> wrote in message
news:3f1631be$(E-Mail Removed)...
> Anybody read the latest advisory from CERT?
>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
microsoft.public.certification, microsoft.public.cert.exam.mcsa, microsoft.public.cert.exam.mcad, microsoft.public.cert.exam.mcse, microsoft.public.cert.exam.mcsd loyola MCSE 4 11-15-2006 02:40 AM
microsoft.public.certification, microsoft.public.cert.exam.mcsa, microsoft.public.cert.exam.mcad, microsoft.public.cert.exam.mcse, microsoft.public.cert.exam.mcsd loyola Microsoft Certification 3 11-14-2006 05:18 PM
microsoft.public.certification, microsoft.public.cert.exam.mcsa, microsoft.public.cert.exam.mcad, microsoft.public.cert.exam.mcse, microsoft.public.cert.exam.mcsd realexxams@yahoo.com Microsoft Certification 0 05-10-2006 02:35 PM
Cisco IOS Interface Blocked by IPv4 Packets upgrade problem John Cisco 3 07-25-2003 03:38 PM
BUG | Question ? | Test | Cisco IOS Interface Blocked by IPv4 Packet Markus Zielonka Cisco 1 07-18-2003 11:44 AM



Advertisments