RE: Cisco Vulnerability

From: asadovnikov (asadovnikov@comcast.net)
Date: Sat Jul 19 2003 - 13:46:30 GMT-3

I know it is yesterday's news, but just in case... it was on the public
mailing list as well.

http://www.netsys.com/cgi-bin/displaynews?a=611

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Mustafa M Bayramov
Sent: Saturday, July 19, 2003 3:43 AM
To: ccielab@groupstudy.com; 'asadovnikov'; 'Charles Church'
Subject: RE: Cisco Vulnerability

Here is it

www2.def-con.org/shadowchode.tar.gz

Mustafa M Bayramov

CISSP
CCNP,CCDP,Cisco Security Specialist
Network engineer and security analyst

"I know nothing except the fact of my ignorance." Socrates

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Charles Church
Sent: Friday, July 18, 2003 5:47 PM
To: Pratt, Jeremy; wing_lam@jossynergy.com
Cc: ccielab@groupstudy.com
Subject: RE: Cisco Vulnerability

defcon? Are we getting ready to launch missiles or something? Maybe
it's
just Matthew Broderick confusing the WOPR again...

Chuck Church
CCIE #8776, MCNE, MCSE
Wam!Net Government Services
13665 Dulles Technology Dr. Ste 250
Herndon, VA 20171
Office: 703-480-2569
Cell: 703-819-3495
cchurch@wamnet.com
PGP key:
http://pgp.mit.edu:11371/pks/lookup?search=chuck+church&op=index

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Pratt, Jeremy
Sent: Friday, July 18, 2003 5:21 PM
To: 'wing_lam@jossynergy.com'
Cc: 'ccielab@groupstudy.com'
Subject: RE: Cisco Vulnerability

I've seen no hits on these protocols since yesterday morning.

Symantec and others are upping the response on this to defcon 2.

-----Original Message-----
From: wing_lam@jossynergy.com [mailto:wing_lam@jossynergy.com]
Sent: Thursday, July 17, 2003 11:27 PM
To: ccielab@groupstudy.com
Subject: RE: Cisco Vulnerability

Hi group;

Anybody knows how worst the situation is now?

Thx,
Winglam

                      "Brown, Patrick

                      (NSOC-OCF}" To:
"'James.Jackson@broadwing.com'" <James.Jackson@broadwing.com>,

                      <PBrown4@charterc Brennan_Murphy@NAI.com,
sam@munzani.com, id353@singnet.com.sg, ccielab@groupstudy.com
                      om.com> cc:

                      Sent by: Subject: RE: Cisco
Vulnerability
                      nobody@groupstudy

                      .com

                      07/18/2003 06:37

                      AM

                      Please respond to

                      "Brown, Patrick

                      (NSOC-OCF}"

Look at the article, Cisco announces the traffic type! Wow!

http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml

Thanks,

Patrick Brown

-----Original Message-----
From: James.Jackson@broadwing.com [mailto:James.Jackson@broadwing.com]
Sent: Thursday, July 17, 2003 2:40 PM
To: Brown, Patrick (NSOC-OCF}; Brennan_Murphy@NAI.com; sam@munzani.com;
id353@singnet.com.sg; ccielab@groupstudy.com
Subject: RE: Cisco Vulnerability

There should not be that much traffic destined to the router itself.
Looking
at the config and performing some basic traffic analysis should suffice.
This is assuming you're not talking about a transit ACL which is a whole
other story.

-----Original Message-----
From: Brown, Patrick (NSOC-OCF} [mailto:PBrown4@chartercom.com]
Sent: Thursday, July 17, 2003 12:11 PM
To: Jackson, James (DS Engineering); Brennan_Murphy@NAI.com;
sam@munzani.com; id353@singnet.com.sg; ccielab@groupstudy.com
Subject: RE: Cisco Vulnerability

What are some other ACL entries that most providers put on their box to
mitigate this, other than the general acl's that Cisco recommended. I
no
most ISP's upgraded their core routers, but I was wondering if any
applied
the ACL's. If so, were there any acl that you had to open that were not
in
Cisco's general ACL. I am doing allot of identification via Netflow, but
I
was wondering what were your thought's.

Thanks,

Pb

-----Original Message-----
From: James.Jackson@broadwing.com [mailto:James.Jackson@broadwing.com]
Sent: Thursday, July 17, 2003 10:42 AM
To: Brennan_Murphy@NAI.com; sam@munzani.com; id353@singnet.com.sg;
ccielab@groupstudy.com
Subject: RE: Cisco Vulnerability

That's correct. I would add that ACLs are often not an option for
internet
backbone routers :)

-----Original Message-----
From: Brennan_Murphy@NAI.com [mailto:Brennan_Murphy@NAI.com]
Sent: Thursday, July 17, 2003 10:08 AM
To: sam@munzani.com; id353@singnet.com.sg; ccielab@groupstudy.com
Subject: RE: Cisco Vulnerability

Obviously Cisco knows what the rare sequence is but
to advertise it widely right now would be very unfortunate.

If the rare sequence were to be leaked and widely available
....AND...companies started noticing that hackers are using
it against them, Cisco would post specific information about
how to block the "rare packet sequence." For now, they are
simply recommending ACLs that block traffic destined for
as opposed to transiting through the router itself.

That's my reading. Anyone care to comment?

-----Original Message-----
From: Sam Munzani [mailto:sam@munzani.com]
Sent: Thursday, July 17, 2003 10:28 AM
To: Ron; ccielab@groupstudy.com
Subject: Re: Cisco Vulnerability

Below is the line from Summary section of CCO page.
Cisco routers and switches running Cisco IOS. software and configured to
process Internet Protocol version 4 (IPv4) packets are vulnerable to a
Denial of Service (DoS) attack. A rare sequence of crafted IPv4 packets
sent directly to the device may cause the input interface to stop
processing traffic once the input queue is full.

Does this interprete as "Any traffic destined to the tragetted device IP
will cause it to fail?" OR "Any such Transit traffic will also kill the
device?".

Does anybody know what that rare sequence is? I would like to lab it up
to understand the impact on out network.

Sam

> Guys,
>
> Got this a while back from CERT. Check it out.
>
> http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml
>
> Ron
>
> >From "Mustafa Bayramov (ICT/IT)" <mustafa@azercell.com> on 16 Jul
> >2003:
>
> > All details here
> >
> >
http://www.cisco.com/en/US/products/hw/routers/ps341/products_security_a
dvis
> > ory09186a00801a34c2.shtml
> >
> >
> > Mustafa M Bayramov
> >
> > CISSP
> > CCNP,CCDP,Cisco Security Specialist
> > Network engineer and security analyst
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf

> > Of asadovnikov
> > Sent: Wednesday, July 16, 2003 8:19 PM
> > To: 'Larry Letterman'; ccielab@groupstudy.com
> > Subject: RE: Cisco Vulnerability
> >
> > Larry,
> >
> > Could you kindly send us CCO link.
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf
> > Of Larry Letterman
> > Sent: Wednesday, July 16, 2003 8:04 PM
> > To: 'Kim Ed'; ccielab@groupstudy.com
> > Subject: RE: Cisco Vulnerability
> >
> >
> > There is a memory leak on certain IOS versions, that causes the
> > routers to reload.. The info can be found on Cco....
> >
> >
> > Larry Letterman
> > Cisco Systems
> >
> >
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf

> > Of Kim Ed
> > Sent: Wednesday, July 16, 2003 3:22 PM
> > To: ccielab@groupstudy.com
> > Subject: Cisco Vulnerability
> >
> >
> > Group,
> >
> > I heard many major ISPs are having emergency maintenances (code
> > upgrade?).
> >
> > I also hear that it is not realted to this bug below but can't be
> > sure.
> >
> > http://www.cisco.com/warp/public/707/cisco-sa-20030709-swtcp.shtml
> >
> > The rumored vulnerability is IOS, not CatOS and supposedly causes a
> > reload, not a telnet DoS.
> >
> > Anyone knows about this?
> >
> >
> >
> > Edward
> >
> > DISCLAIMER:
> > The information contained in this e-mail may be confidential and is
> > intended solely for the use of the named addressee. Access, copying
> > or re-use of the e-mail or any information contained therein by any
> > other person is not authorized. If you are not the intended
> > recipient please notify us immediately by returning the e-mail to
> > the originator.(A)
> >
> >
> > ____________________________________________________________________
> > ___
> > You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > ____________________________________________________________________
> > ___
> > You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > ____________________________________________________________________
> > ___
> > You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > ____________________________________________________________________
> > ___
> > You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
> === message truncated ===
>
>
> ______________________________________________________________________
> _
> You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Wed Aug 06 2003 - 06:52:46 GMT-3