FYI -----Original Message----- From: Cisco Systems Product Security Incident Response Team [mailto:[EMAIL PROTECTED] Sent: Friday, February 21, 2003 4:50 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Cisco response to Cisco IOS OSPF exploit
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Cisco PSIRT just responded to a recent posting on the BUGTRAQ mailing list regarding CSCdp58462. The original post may be found at http://www.securityfocus.com/archive/1/312510/2003-02-18/2003-02-24/0 Our response is attached. Thanks, - -Mike- - -- - ---------------------------------------------------------------------------- | || || | Mike Caudill | [EMAIL PROTECTED] | | || || | PSIRT Incident Manager | 919.392.2855 | | |||| |||| | DSS PGP: 0xEBBD5271 | 919.522.4931 (cell)| | ..:||||||:..:||||||:.. | RSA PGP: 0xF482F607 ---------------------| | C i s c o S y s t e m s | http://www.cisco.com/go/psirt | - ---------------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.2 iQA/AwUBPla0H5PS/wbyNnWcEQIRBACePE3RVKI/I6rUcCtRs9c2NF7+BlwAoKoI mkL4NZABwYu0P/Mh5v4Ib/s3 =nx00 -----END PGP SIGNATURE----- >From [EMAIL PROTECTED] Fri Feb 21 17:29:54 2003 >Received: from sj-msg-core-1.cisco.com (sj-msg-core-1.cisco.com [171.71.163.11]) > by rooster.cisco.com (8.11.6+Sun/8.8.8) with ESMTP id h1LMTs023458 > for ; Fri, 21 Feb 2003 17:29:54 -0500 (EST) >Received: from rtp-cse-184.cisco.com (rtp-cse-184.cisco.com [64.102.51.44]) > by sj-msg-core-1.cisco.com (8.12.2/8.12.6) with ESMTP id h1LMTpSQ002294 > for ; Fri, 21 Feb 2003 14:29:51 -0800 (PST) >Received: (from [EMAIL PROTECTED]) > by rtp-cse-184.cisco.com (8.11.6+Sun/8.11.6) id h1LMToD25063; > Fri, 21 Feb 2003 17:29:50 -0500 (EST) >From: Mike Caudill >Message-Id: >Subject: Re: Cisco IOS OSPF exploit >To: [EMAIL PROTECTED] (FX) >Date: Fri, 21 Feb 2003 17:29:50 -0500 (EST) >Cc: [EMAIL PROTECTED], [EMAIL PROTECTED], > [EMAIL PROTECTED] (Mike Caudill), [EMAIL PROTECTED] (Damir Rajnovic), > [EMAIL PROTECTED] >In-Reply-To: from "FX" at Feb 20, 2003 05:45:19 PM >X-Mailer: ELM [version 2.5 PL2] >MIME-Version: 1.0 >Content-Type: text/plain; charset=us-ascii >Content-Transfer-Encoding: 7bit >Status: RO -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco can confirm the statement made by FX from Phenoelit in his message "Cisco IOS OSPF exploit" posted on 2003-Feb-20. The OSPF implementation in certain Cisco IOS versions is vulnerable to a denial of service if it receives a flood of neighbor announcements in which more than 255 hosts try to establish a neighbor relationship per interface. One workaround for this issue is to configure OSPF MD5 authentication. This may be done per interface or per area. Another possible workaround is to apply inbound access lists to explicitly allow certain OSPF neighbors only: access-list 100 permit ospf host a.b.c.x host 224.0.0.5 access-list 100 permit ospf host a.b.c.x host interface_ip access-list 100 permit ospf host a.b.c.y host 224.0.0.5 access-list 100 permit ospf host a.b.c.y host interface_ip access-list 100 permit ospf host a.b.c.z host 224.0.0.5 access-list 100 permit ospf host a.b.c.z host interface_ip access-list 100 permit ospf any host 224.0.0.6 access-list 100 deny ospf any any access-list 100 permit ip any any Cisco IOS Versions 11.1 - 12.0 are subject to this vulnerability. This bug has been resolved. The following versions of Cisco IOS software are the first fixed releases, meaning that any subsequent releases also contain the fix: 12.0(19)S 12.0(19)ST 12.1(1) 12.1(1)DB 12.1(1)DC 12.1(1)T We would like to thank FX for his continued cooperation with us in the spirit of responsible disclosure and working to increase awareness of security issues. For information on working with the Cisco PSIRT regarding potential security issues, please see our contact information at http://www.cisco.com/warp/public/707/sec_incident_response.shtml#Problems Thank you, - -Mike- > Hi there, > > attached you may find the exploit for the Cisco IOS bug ID CSCdp58462. The bug > is long fixed, so if you still run OSPF on a old version of IOS, now is a good > time to give your routers some attention. > > FX > > -- > FX > Phenoelit (http://www.phenoelit.de) > 672D 64B2 DE42 FCF7 8A5E E43B C0C1 A242 6D63 B564 > > /* Cisco IOS IO memory exploit prove of concept > * by FX of Phenoelit > * http://www.phenoelit.de > * > * For: > * 19C3 Chaos Communication Congress 2002 / Berlin > * BlackHat Briefings Seattle 2003 > * > * Cisco IOS 11.2.x to 12.0.x OSPF neighbor overflow > * Cisco Bug CSCdp58462 causes more than 255 OSPF neighbors to overflow a IO memory > * structure (small buffer header). The attached program is a PoC to exploit > * this vulnerability by executing "shell code" on the router and write the > * attached configuration into NVRAM to basicaly own the router. > * - -- - ---------------------------------------------------------------------------- | || || | Mike Caudill | [EMAIL PROTECTED] | | || || | PSIRT Incident Manager | 919.392.2855 | | |||| |||| | DSS PGP: 0xEBBD5271 | 919.522.4931 (cell)| | ..:||||||:..:||||||:.. | RSA PGP: 0xF482F607 ---------------------| | C i s c o S y s t e m s | http://www.cisco.com/go/psirt | - ---------------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.2 iQA/AwUBPlaoLYpjyUnrvVJxEQLcZgCgxAkatIdM5EjV4uMcDgJqd/aFx9EAoPbm Sw0/fZvhc3uuv0NnuBwfSWnw =McnI -----END PGP SIGNATURE----- Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63594&t=63594 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
