RE: Cisco IOS vulnerability

You are vulnerable unless you have deny statement which blocks all packets other than say ICMP or IPSEC coming to the router interface which is connected to the Internet.

Even though the packets targeted *at* the routers interface is only dangerous for that router, you can block all the dangerous packets *through* the router at your perimeter router which would avoid another router down the line getting attacked.

Cisco has updated the security advisory and the same is available at

http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml

You can put lines like the one below given at the top of your existing access list. This is not going to affect your ICMP or TCP Established traffic.

access-list 101 deny 53 any any
access-list 101 deny 55 any any
access-list 101 deny 77 any any
access-list 101 deny 103 any any

Thanks,

Antony Abraham

-----Original Message-----
From: James Fields [mailto:jvfields@tds.net] Sent: Friday, July 18, 2003 2:02 AM
To: gkruel@openlink.com.br
Cc: incidents@securityfocus.com
Subject: Re: Cisco IOS vulnerability

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

The vulnerability is based on a sequence of some number of special packets targeted *at* the router's interface (i.e., not packets that are going to be routed *through*).

The packets do not use the normal IP protocols such as TCP/UDP/ICMP, but something different. So, first thing is that if you're only allowing TCP, UDP, ICMP, and maybe IPSEC then you may be ok. Even so, you should also as part of your ACLs be dropping packets targeted directly AT your router's interface address unless you know what they do and where they are from.

On Thu, 2003-07-17 at 10:14, Gustavo Kruel wrote:
> Hi all.
any
> established" ACL. I also have ICMP opened in this same router, any ->
any.
> Are this lines enough to make this interface vulnerable to the
possible
> attack?

-- 
James V. Fields


------------------------------------------------------------------------
----
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas,
the 
world's premier technical IT security event! 10 tracks, 15 training
sessions, 
1,800 delegates from 30 nations including all of the top experts, from
CSO's to 
"underground" security specialists.  See for yourself what the buzz is
about!  
Early-bird registration ends July 3.  This event will sell out.
www.blackhat.com
------------------------------------------------------------------------
----

---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------