RE: Cisco Vulnerability

From: Volkov, Dmitry (IDS Canada) (dmitry_volkov@ca.ml.com)
Date: Sat Jul 19 2003 - 11:55:32 GMT-3

Unfortunately any traffic generator brings you to the same result.
No "special" tools are necessary

> -----Original Message-----
> From: Mustafa M Bayramov [mailto:spyroot@azeronline.com]
> Sent: Saturday, July 19, 2003 3:43 AM
> To: ccielab@groupstudy.com; 'asadovnikov'; 'Charles Church'
> Subject: RE: Cisco Vulnerability
>
>
> Here is it
>
> www2.def-con.org/shadowchode.tar.gz
>
>
>
> Mustafa M Bayramov
>
> CISSP
> CCNP,CCDP,Cisco Security Specialist
> Network engineer and security analyst
>
>
> "I know nothing except the fact of my ignorance." Socrates
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> Behalf Of
> Charles Church
> Sent: Friday, July 18, 2003 5:47 PM
> To: Pratt, Jeremy; wing_lam@jossynergy.com
> Cc: ccielab@groupstudy.com
> Subject: RE: Cisco Vulnerability
>
> defcon? Are we getting ready to launch missiles or something? Maybe
> it's
> just Matthew Broderick confusing the WOPR again...
>
> Chuck Church
> CCIE #8776, MCNE, MCSE
> Wam!Net Government Services
> 13665 Dulles Technology Dr. Ste 250
> Herndon, VA 20171
> Office: 703-480-2569
> Cell: 703-819-3495
> cchurch@wamnet.com
> PGP key:
> http://pgp.mit.edu:11371/pks/lookup?search=chuck+church&op=index
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> Pratt, Jeremy
> Sent: Friday, July 18, 2003 5:21 PM
> To: 'wing_lam@jossynergy.com'
> Cc: 'ccielab@groupstudy.com'
> Subject: RE: Cisco Vulnerability
>
>
> I've seen no hits on these protocols since yesterday morning.
>
> Symantec and others are upping the response on this to defcon 2.
>
> -----Original Message-----
> From: wing_lam@jossynergy.com [mailto:wing_lam@jossynergy.com]
> Sent: Thursday, July 17, 2003 11:27 PM
> To: ccielab@groupstudy.com
> Subject: RE: Cisco Vulnerability
>
>
> Hi group;
>
> Anybody knows how worst the situation is now?
>
> Thx,
> Winglam
>
>
>
>
>
> "Brown, Patrick
>
> (NSOC-OCF}" To:
> "'James.Jackson@broadwing.com'" <James.Jackson@broadwing.com>,
>
> <PBrown4@charterc
> Brennan_Murphy@NAI.com,
> sam@munzani.com, id353@singnet.com.sg, ccielab@groupstudy.com
> om.com> cc:
>
> Sent by: Subject: RE: Cisco
> Vulnerability
> nobody@groupstudy
>
> .com
>
>
>
>
>
> 07/18/2003 06:37
>
> AM
>
> Please respond to
>
> "Brown, Patrick
>
> (NSOC-OCF}"
>
>
>
>
>
>
>
>
>
> Look at the article, Cisco announces the traffic type! Wow!
>
> http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml
>
> Thanks,
>
> Patrick Brown
>
> -----Original Message-----
> From: James.Jackson@broadwing.com [mailto:James.Jackson@broadwing.com]
> Sent: Thursday, July 17, 2003 2:40 PM
> To: Brown, Patrick (NSOC-OCF}; Brennan_Murphy@NAI.com;
> sam@munzani.com;
> id353@singnet.com.sg; ccielab@groupstudy.com
> Subject: RE: Cisco Vulnerability
>
>
>
> There should not be that much traffic destined to the router itself.
> Looking
> at the config and performing some basic traffic analysis
> should suffice.
> This is assuming you're not talking about a transit ACL which
> is a whole
> other story.
>
> -----Original Message-----
> From: Brown, Patrick (NSOC-OCF} [mailto:PBrown4@chartercom.com]
> Sent: Thursday, July 17, 2003 12:11 PM
> To: Jackson, James (DS Engineering); Brennan_Murphy@NAI.com;
> sam@munzani.com; id353@singnet.com.sg; ccielab@groupstudy.com
> Subject: RE: Cisco Vulnerability
>
>
> What are some other ACL entries that most providers put on
> their box to
> mitigate this, other than the general acl's that Cisco recommended. I
> no
> most ISP's upgraded their core routers, but I was wondering if any
> applied
> the ACL's. If so, were there any acl that you had to open
> that were not
> in
> Cisco's general ACL. I am doing allot of identification via
> Netflow, but
> I
> was wondering what were your thought's.
>
>
> Thanks,
>
> Pb
>
> -----Original Message-----
> From: James.Jackson@broadwing.com [mailto:James.Jackson@broadwing.com]
> Sent: Thursday, July 17, 2003 10:42 AM
> To: Brennan_Murphy@NAI.com; sam@munzani.com; id353@singnet.com.sg;
> ccielab@groupstudy.com
> Subject: RE: Cisco Vulnerability
>
>
> That's correct. I would add that ACLs are often not an option for
> internet
> backbone routers :)
>
> -----Original Message-----
> From: Brennan_Murphy@NAI.com [mailto:Brennan_Murphy@NAI.com]
> Sent: Thursday, July 17, 2003 10:08 AM
> To: sam@munzani.com; id353@singnet.com.sg; ccielab@groupstudy.com
> Subject: RE: Cisco Vulnerability
>
>
> Obviously Cisco knows what the rare sequence is but
> to advertise it widely right now would be very unfortunate.
>
> If the rare sequence were to be leaked and widely available
> ....AND...companies started noticing that hackers are using
> it against them, Cisco would post specific information about
> how to block the "rare packet sequence." For now, they are
> simply recommending ACLs that block traffic destined for
> as opposed to transiting through the router itself.
>
> That's my reading. Anyone care to comment?
>
> -----Original Message-----
> From: Sam Munzani [mailto:sam@munzani.com]
> Sent: Thursday, July 17, 2003 10:28 AM
> To: Ron; ccielab@groupstudy.com
> Subject: Re: Cisco Vulnerability
>
>
> Below is the line from Summary section of CCO page.
> Cisco routers and switches running Cisco IOS. software and
> configured to
> process Internet Protocol version 4 (IPv4) packets are vulnerable to a
> Denial of Service (DoS) attack. A rare sequence of crafted
> IPv4 packets
> sent directly to the device may cause the input interface to stop
> processing traffic once the input queue is full.
>
> Does this interprete as "Any traffic destined to the
> tragetted device IP
> will cause it to fail?" OR "Any such Transit traffic will
> also kill the
> device?".
>
> Does anybody know what that rare sequence is? I would like to
> lab it up
> to understand the impact on out network.
>
> Sam
>
> > Guys,
> >
> > Got this a while back from CERT. Check it out.
> >
> > http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml
> >
> > Ron
> >
> > >From "Mustafa Bayramov (ICT/IT)" <mustafa@azercell.com> on 16 Jul
> > >2003:
> >
> > > All details here
> > >
> > >
> http://www.cisco.com/en/US/products/hw/routers/ps341/products_
> security_a
> dvis
> > > ory09186a00801a34c2.shtml
> > >
> > >
> > > Mustafa M Bayramov
> > >
> > > CISSP
> > > CCNP,CCDP,Cisco Security Specialist
> > > Network engineer and security analyst
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com] On Behalf
>
> > > Of asadovnikov
> > > Sent: Wednesday, July 16, 2003 8:19 PM
> > > To: 'Larry Letterman'; ccielab@groupstudy.com
> > > Subject: RE: Cisco Vulnerability
> > >
> > > Larry,
> > >
> > > Could you kindly send us CCO link.
> > >
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com]On Behalf
> > > Of Larry Letterman
> > > Sent: Wednesday, July 16, 2003 8:04 PM
> > > To: 'Kim Ed'; ccielab@groupstudy.com
> > > Subject: RE: Cisco Vulnerability
> > >
> > >
> > > There is a memory leak on certain IOS versions, that causes the
> > > routers to reload.. The info can be found on Cco....
> > >
> > >
> > > Larry Letterman
> > > Cisco Systems
> > >
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com] On Behalf
>
> > > Of Kim Ed
> > > Sent: Wednesday, July 16, 2003 3:22 PM
> > > To: ccielab@groupstudy.com
> > > Subject: Cisco Vulnerability
> > >
> > >
> > > Group,
> > >
> > > I heard many major ISPs are having emergency maintenances (code
> > > upgrade?).
> > >
> > > I also hear that it is not realted to this bug below but can't be
> > > sure.
> > >
> > > http://www.cisco.com/warp/public/707/cisco-sa-20030709-swtcp.shtml
> > >
> > > The rumored vulnerability is IOS, not CatOS and
> supposedly causes a
> > > reload, not a telnet DoS.
> > >
> > > Anyone knows about this?
> > >
> > >
> > >
> > > Edward
> > >
> > > DISCLAIMER:
> > > The information contained in this e-mail may be
> confidential and is
> > > intended solely for the use of the named addressee.
> Access, copying
> > > or re-use of the e-mail or any information contained
> therein by any
> > > other person is not authorized. If you are not the intended
> > > recipient please notify us immediately by returning the e-mail to
> > > the originator.(A)
> > >
> > >
> > >
> ____________________________________________________________________
> > > ___
> > > You are subscribed to the GroupStudy.com CCIE R&S
> Discussion Group.
> > >
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > >
> ____________________________________________________________________
> > > ___
> > > You are subscribed to the GroupStudy.com CCIE R&S
> Discussion Group.
> > >
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > >
> ____________________________________________________________________
> > > ___
> > > You are subscribed to the GroupStudy.com CCIE R&S
> Discussion Group.
> > >
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > >
> ____________________________________________________________________
> > > ___
> > > You are subscribed to the GroupStudy.com CCIE R&S
> Discussion Group.
> >
> > === message truncated ===
> >
> >
> >
> ______________________________________________________________________
> > _
> > You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> ______________________________________________________________
> _________
> You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> ______________________________________________________________
> _________
> You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
> +++The information transmitted is intended only for the person or
> entity
> to
> which it is addressed and may contain confidential and/or privileged
> material. Any review, retransmission, dissemination or other
> use of, or
> taking of any action in reliance upon, this information by persons or
> entities other than the intended recipient is prohibited. If you
> received
> this in error, please contact the sender and destroy any
> copies of this
> document.+++
>
>
> ______________________________________________________________
> _________
> You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
> +++The information transmitted is intended only for the person or
> entity
> to
> which it is addressed and may contain confidential and/or privileged
> material. Any review, retransmission, dissemination or other
> use of, or
> taking of any action in reliance upon, this information by persons or
> entities other than the intended recipient is prohibited. If you
> received
> this in error, please contact the sender and destroy any
> copies of this
> document.+++
>
>
> ______________________________________________________________
> _________
> You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> ______________________________________________________________
> _________
> You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> -----------------------------------------------------------
> SECURITY/CONFIDENTIALITY WARNING: This message and any
> attachments are
> intended solely for the individual or entity to which they are
> addressed.
> This
> communication may contain information that is privileged,
> confidential,
> or
> exempt from disclosure under applicable law (e.g., personal health
> information, research data, financial information). Because
> this e-mail
> has
> been sent without encryption, individuals other than the intended
> recipient
> may be able to view the information, forward it to others or
> tamper with
> the
> information without the knowledge or consent of the sender. If you are
> not
> the
> intended recipient, or the employee or person responsible for
> delivering
> the
> message to the intended recipient, any dissemination, distribution or
> copying
> of the communication is strictly prohibited. If you received the
> communication
> in error, please notify the sender immediately by replying to this
> message
> and
> deleting the message and any accompanying files from your system. If,
> due to
> the security risks, you do not wish to receive further communications
> via
> e-mail, please reply to this message and inform the sender that you do
> not
> wish to receive further e-mail from the sender.
> ===========================================================
>
>
> ______________________________________________________________
> _________
> You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> ______________________________________________________________
> _________
> You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> ______________________________________________________________
> _________
> You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Wed Aug 06 2003 - 06:52:46 GMT-3