RE: Cisco IOS vulnerability

From: Quarantine <Quarantine(at)GSCCCA.ORG>
Date: Fri Jul 18 2003 - 07:28:32 EDT

That's fine for inbound externally-sourced traffic. However, you're forgetting access from the inside to your perimeter router and access to all of your internal routers.

Matt

-----Original Message-----

From: Paul Benedek [mailto:paul.benedek@excis.co.uk] Sent: Thursday, July 17, 2003 2:44 PM
To: gkruel@openlink.com.br; incidents@securityfocus.com Subject: RE: Cisco IOS vulnerability

Hi Gustavo,

There are several things that you may wish to consider. The IOS advisory states that it is IP packets in a certain order that can cause the denial of service. Although with the advisory, the risk of being attacked goes up, it is unlikely that many will be affected by this issue. For the sake of good practice, consider the following.

On a perimeter router you should be implementing RFC1918 and RFC2827 filtering to preclude spoofing. Another consideration would be the use of ACL's that only allows access on the ports giving the services to your customers. Therefore if you are hosting a web site, maybe you only need port 80 and 443 with all other ports denied. If you do need to have ICMP consider implementing CEF and CAR to rate limit incoming ICMP and UDP. Although these security measures in themselves will not prevent the attack, they will limit the potential for anybody to exploit the IOS weaknesses.

Regards,

Paul Benedek
Director
Excis Networks Limited
http://www.excis.co.uk

-----Original Message-----

From: Gustavo Kruel [mailto:gkruel@openlink.com.br] Sent: 17 July 2003 15:14
To: incidents@securityfocus.com
Subject: Cisco IOS vulnerability

Hi all.

I saw today the vulnerability alert on Cisco IOS. The workaround is to implement ACL?s that block packets from unknown sources directed to an exposed interface.

Thinking about a perimeter router, i have one router with a "tcp any any established" ACL. I also have ICMP opened in this same router, any -> any. Are this lines enough to make this interface vulnerable to the possible attack?

What do you think about it?

---

Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions,
1,800 delegates from 30 nations including all of the top experts, from CSO's to
"underground" security specialists. See for yourself what the buzz is about!
Early-bird registration ends July 3. This event will sell out. www.blackhat.com

---

---

Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions,
1,800 delegates from 30 nations including all of the top experts, from CSO's to
"underground" security specialists. See for yourself what the buzz is about!
Early-bird registration ends July 3. This event will sell out. www.blackhat.com

---

---

Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com

---

Received on Fri Jul 18 14:25:54 2003