Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > incidents > 03 > 071692.html (Request Expert securityfocus.com Support)

RE: Cisco IOS vulnerability

From: Quarantine <Quarantine(at)GSCCCA.ORG>
Date: Fri Jul 18 2003 - 07:36:40 EDT


You can use any source and any destination, as long as you limit your protocols. The problem is caused by a "specially crafted sequence of IPv4 packets with protocol type 53 (SWIPE), 55 (IP Mobility), 77 (Sun ND), or 103 (Protocol Independent Multicast - PIM)." The sample ACL from the advisory: 

access-list 101 deny 53 any any
access-list 101 deny 55 any any
access-list 101 deny 77 any any
access-list 101 deny 103 any any
access-list 101 permit ip any any

Matt

-----Original Message-----
From: David Gillett [mailto:gillettdavid@fhda.edu] Sent: Thursday, July 17, 2003 5:20 PM
To: gkruel@openlink.com.br; incidents@securityfocus.com Subject: RE: Cisco IOS vulnerability

  I don't think so. I think you're looking at

! BEGIN for each router-address
permit ip host trusted host router-address ! times number of trusted 

                                           ! source addresses/ranges
deny ip any host router-address
! END for each router-address

and then you apply this to each interface (or, if you already have an ACL on an interface, add this to it).

  So it's at least O(trusted addresses/ranges), and at worst O(trusted x router-addresses x router-interfaces). OUCH.

  Installing a fixed IOS release starts to look a whole lot less admin work, and without the possible performance hit.

Do you need help?X

(Note that transiting packets, not addressed to the router itself, apparently cannot trigger this bug.)

David Gillett

> -----Original Message-----


Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions,
1,800 delegates from 30 nations including all of the top experts, from CSO's to
"underground" security specialists. See for yourself what the buzz is about!
Early-bird registration ends July 3. This event will sell out. www.blackhat.com

Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com
Received on Fri Jul 18 14:11:20 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:11 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library