Re: [c-nsp] Cisco Security Advisory: TCP State Manipulation Denial ofService Vulnerabilities in Multiple Cisco Products

Mon, 14 Sep 2009 07:17:14 -0700 


On Sep 13, 2009, at 10:28 PM, Kevin Graham wrote:


Sorry for the late response, had to dig through some old cases...
But anyway - my routers are lying to me. They list *.179 just fine (BGP), but all the other interesting stuff (telnet, ssh, ldp) is not there...
Last dug into this 2.5y ago (while looking into PSIRT cisco- sa-20070131-sip) 
and the answer was:

    CSCdk86016
    Externally found moderate defect: Duplicate (D)
    Theres no way to see all listening ports

    CSCds10428
    Internally found moderate defect: Closed (C)
    Need netstat kind of support for IOS TCP/UDP
It looks like after the business units analyzed everything they decided 
    they were not going to move forward with this command.
"Currently we have the show tcp brief all which gives the lists the TCB's in the listening state. Also the netstat command is more generic and applicable to UNIX. While it is desirable to have something like 
    that, I don't see the exact benefits of the same."
Hopefully the new feature Eloy referred to will be more broadly available; does anyone have the DDTS for its integration into 12.2S-derived trains?
Cisco does not manage software in a way that features and capabilities go to every platform/release. Each platform runs its own release-ops team, with the rare exception of 'mainline'. The platform specific trains eg: S/SX etc pick up mainline features via bulk syncs of code.
I've been asking for this capability for years, there is no way this is going to show up. Cisco does not have the fortitude to keep a platform from shipping to pick up a central-eng/nsstg(itd) driven cleanup. If something impairs the ability for cisco to recognize revenue, such as security/PSIRT issues it's unlikely to stop things from shipping.
ie: You need to ask your account team to prioritize these over you actually buying a device. If it stops them from being able to sell you routers, it will get fixed. If not, it's unlikely to have an impact.
While you're at it, ask for protected memory in the software. It's not like ram/flash are expensive these days... 

- Jared
_______________________________________________
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Reply via email to