RE: Cisco Vulnerability

From: Steven Cromie (scromie@cisco.com)
Date: Thu Jul 17 2003 - 16:50:48 GMT-3

• Next message: Jonathan V Hays: "RE: regular expression once more"
• Previous message: James.Jackson@broadwing.com: "RE: Cisco Vulnerability"
• Maybe in reply to: Kim Ed: "Cisco Vulnerability"
• Next in thread: Pratt, Jeremy: "RE: Cisco Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

The security advisory is for a rare sequence of crafted IPv4 packets sent
directly to the device. It is not affected by transit traffic. The ACL's
should be configured to block unauthorized traffic from the infrastructure
resources. This is really a basic best practice to protect your
infrastructure also.
So..
Permit explicitly what can access the router
Deny explicitly all other access to the router
Permit all transit traffic

Steve

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Sam Munzani
Sent: Thursday, July 17, 2003 7:28 AM
To: Ron; ccielab@groupstudy.com
Subject: Re: Cisco Vulnerability

Below is the line from Summary section of CCO page.
Cisco routers and switches running Cisco IOS. software and configured to
process Internet Protocol version 4 (IPv4) packets are vulnerable to a
Denial of Service (DoS) attack. A rare sequence of crafted IPv4 packets sent
directly to the device may cause the input interface to stop processing
traffic once the input queue is full.

Does this interprete as "Any traffic destined to the tragetted device IP
will cause it to fail?" OR "Any such Transit traffic will also kill the
device?".

Does anybody know what that rare sequence is? I would like to lab it up to
understand the impact on out network.

Sam

> Guys,
>
> Got this a while back from CERT. Check it out.
>
> http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml
>
> Ron
>
> >From "Mustafa Bayramov (ICT/IT)" <mustafa@azercell.com> on 16 Jul 2003:
>
> > All details here
> >
> >
http://www.cisco.com/en/US/products/hw/routers/ps341/products_security_advis
> > ory09186a00801a34c2.shtml
> >
> >
> > Mustafa M Bayramov
> >
> > CISSP
> > CCNP,CCDP,Cisco Security Specialist
> > Network engineer and security analyst
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > asadovnikov
> > Sent: Wednesday, July 16, 2003 8:19 PM
> > To: 'Larry Letterman'; ccielab@groupstudy.com
> > Subject: RE: Cisco Vulnerability
> >
> > Larry,
> >
> > Could you kindly send us CCO link.
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> > Larry Letterman
> > Sent: Wednesday, July 16, 2003 8:04 PM
> > To: 'Kim Ed'; ccielab@groupstudy.com
> > Subject: RE: Cisco Vulnerability
> >
> >
> > There is a memory leak on certain IOS versions, that causes the routers
> > to reload..
> > The info can be found on Cco....
> >
> >
> > Larry Letterman
> > Cisco Systems
> >
> >
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > Kim Ed
> > Sent: Wednesday, July 16, 2003 3:22 PM
> > To: ccielab@groupstudy.com
> > Subject: Cisco Vulnerability
> >
> >
> > Group,
> >
> > I heard many major ISPs are having emergency maintenances (code
> > upgrade?).
> >
> > I also hear that it is not realted to this bug below but can't be sure.
> >
> > http://www.cisco.com/warp/public/707/cisco-sa-20030709-swtcp.shtml
> >
> > The rumored vulnerability is IOS, not CatOS and supposedly causes a
> > reload, not a telnet DoS.
> >
> > Anyone knows about this?
> >
> >
> >
> > Edward
> >
> > DISCLAIMER:
> > The information contained in this e-mail may be confidential and is
> > intended solely for the use of the named addressee. Access, copying or
> > re-use of the e-mail or any information contained therein by any other
> > person is not authorized. If you are not the intended recipient please
> > notify us immediately by returning the e-mail to the originator.(A)
> >
> >
> > _______________________________________________________________________
> > You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > _______________________________________________________________________
> > You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > _______________________________________________________________________
> > You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > _______________________________________________________________________
> > You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
> === message truncated ===
>
>
> _______________________________________________________________________
> You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Jonathan V Hays: "RE: regular expression once more"
• Previous message: James.Jackson@broadwing.com: "RE: Cisco Vulnerability"
• Maybe in reply to: Kim Ed: "Cisco Vulnerability"
• Next in thread: Pratt, Jeremy: "RE: Cisco Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Aug 06 2003 - 06:52:43 GMT-3