Here's another one: Cisco Security Advisory: Data Leak with Cisco Express Forwarding Enabled
Revision 1.0 For Public Release 2002 February 27 08:00 (UTC -0800) - -------------------------------------------------------------------------- Summary ======= All Cisco devices running Cisco IOS(r) and having Cisco Express Forwarding (CEF) enabled can leak information from previous packets that have been handled by the device. This can happen if the packet length described in the IP header is bigger than the physical packet size. Packets like these will be expanded to fit the IP length and, during that expansion, an information leak may occur. Please note that an attacker can only collect parts of some packets but not the whole session. No other Cisco product is vulnerable. Devices that are having fast switching enabled are not affected by this vulnerability. The workaround for this vulnerability is to disable CEF. This advisory is available at the http://www.cisco.com/warp/public/707/ IOS-CEF-pub.shtml. Affected Products ================= All Cisco IOS releases that are supporting CEF are vulnerable. In order to trigger this vulnerability CEF or dCEF must be enabled on the device. The vulnerable Cisco IOS releases are (this is not an exhaustive list): * 11.1CC * 12.0, 12.0S, 12.0T, 12.0ST * 12.1, 12.1E, 12.1T * 12.2, 12.2T No other Cisco products are affected. Details ======= When a router receives a packet where MAC level packet length is shorter than is indicated by the IP level, the router will "extend" the packet to the size indicated by the IP level. This extension will be done by padding the packet with an arbitrary data. The issue here is that padding may contain data from a previous packets that has not been erased. Although it is possible to trigger this vulnerability on command, it is not possible to predict what information would be collected this way. It is not possible for an attacker to selectively capture desired packets (for example, packets with username and password combination). This vulnerability is specific to CEF. Fast switching is not affected by it. This vulnerability is documented as Cisco Bug ID CSCdu20643. For the Cisco IOS 11.1CC image, this vulnerability is described as Cisco Bug ID CSCdp58360. Impact ====== By sending malformed packets, and capturing them after they have been processed by CEF, an attacker may find a remnants of a previous packets in them. The remnant data may contain whatever the previous packet has carried. That may be parts of a document, mail or any other content. Note that in an interactive session such as typing a password, characters are sent one by one in separate packets. That drastically lowers the probability that all packets will be captured. In addition, it is almost certain that typed characters will be overwritten by the contents of the attacking packets. Shawn G. Kaminski EDS Network Engineering - DowNET Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=36823&t=36823 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
