Re: a really big bug [7:72463]
I am glad you are not representative of the current Cisco Culture. Your attitude in this matter really is not acceptable and I would hope that Cisco's attitude would be better. Any exploit hypothetical or not quickly spreads acrossed the internet faster then Bill Gates can find another security flaw in Windows. My Solaris Servers that face the internet are under constant bombardment from would be windows script kiddies. It doesm't matter to them whether I have a Solaris System or a Windows System. They want to be real hackers and will try anything that is posted. This applies to other systems as well. Cisco has the major market share and therefore is the primary target. Cisco is not Microsoft, and never has been. They have always put their flaws right in peoples faces. The infamous SNMP bug was published and fixed long before CERT published it. Cisco has a PSIRT team whose soul function in life is security risk accessment. I have never known Cisco to call a potential Security threat Entertainment. Perhaps we should send your response to this to John Chambers and see what he will say. I still remember his e-mail address since I too am an ex-cisco employee. Regards, Pete Peter P. Benac, CCNA Emacolet Networking Services, Inc Providing Systems and Network Consulting, Training, Web Hosting Services Phone: 919-847-1740 or 866-701-2345 Web: http://www.emacolet.com Need quick reliable Systems or Network Management advice visit http://www.nmsusers.org To have principles... First have courage.. With principles comes integrity!!! I sincerly hope that Cisco is not becoming Microsoft. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72565t=72463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: a really big bug [7:72463]
On Dec 7, 2:55pm, Kazan, Naim wrote: } } Cisco advised us of a new catastrophic bug CSCeb56052 within the new IOS. I tried looking that one up and got an error saying that it couldn't be displayed. }-- End of excerpt from Kazan, Naim Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72566t=72463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: a really big bug [7:72463]
Oh man... Now Fred *and* Pete are on this list? What is happening to this place?? :-) It's good to see both of you here. John Peter Benac 7/18/03 6:20:47 AM I am glad you are not representative of the current Cisco Culture. Your attitude in this matter really is not acceptable and I would hope that Cisco's attitude would be better. Any exploit hypothetical or not quickly spreads acrossed the internet faster then Bill Gates can find another security flaw in Windows. My Solaris Servers that face the internet are under constant bombardment from would be windows script kiddies. It doesm't matter to them whether I have a Solaris System or a Windows System. They want to be real hackers and will try anything that is posted. This applies to other systems as well. Cisco has the major market share and therefore is the primary target. Cisco is not Microsoft, and never has been. They have always put their flaws right in peoples faces. The infamous SNMP bug was published and fixed long before CERT published it. Cisco has a PSIRT team whose soul function in life is security risk accessment. I have never known Cisco to call a potential Security threat Entertainment. Perhaps we should send your response to this to John Chambers and see what he will say. I still remember his e-mail address since I too am an ex-cisco employee. Regards, Pete Peter P. Benac, CCNA Emacolet Networking Services, Inc Providing Systems and Network Consulting, Training, Web Hosting Services Phone: 919-847-1740 or 866-701-2345 Web: http://www.emacolet.com Need quick reliable Systems or Network Management advice visit http://www.nmsusers.org To have principles... First have courage.. With principles comes integrity!!! I sincerly hope that Cisco is not becoming Microsoft. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72571t=72463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: a really big bug [7:72463]
Perhaps you slightly misunderstood my attitude and are jumping to conclusions so that you can put a convenient label on me. I am not saying that Cisco should keep security problems a secret, rather that dissemination of information about sensitive issues posing a security threat to many should be carefully considered and coordinated. If you have access to the applicable bug reports, you will see that it was exactly the PSIRT team who carefully edited/removed all enclosures to make sure that the information necessary to reproduce the attack is not easily extracted. All the protocol names were replaced by XXX, for example. Personally, I was impressed by the thorough job they did. The only hints I could find were the code diffs. Now, does this mean that Cisco wants to hide the problems? Not at all. As you say, Cisco has always been good at publishing security flaws. The Security Advisory in question is still being updated, too. So I think Cisco has deserved some patience and the right to decide when to publish what information. Having said that, I am not writing to this mailing list as a representative of Cisco. What I say is my personal opinion (and believe it or not, it is not influenced by the fact that I work for Cisco -- only what I do *not* say is influenced by that fact). I am using my Cisco email because it is convenient. I have hoped that people on this list are mature enough to realize this, but perhaps I was wrong. I will switch to Yahoo now. Perhaps we should send your response to this to John Chambers and see what he will say. Will you also tell your daddy/bigger brother about me? :) Thanks, Zsombor At 11:43 AM 7/18/2003 +, Peter Benac wrote: I am glad you are not representative of the current Cisco Culture. Your attitude in this matter really is not acceptable and I would hope that Cisco's attitude would be better. Any exploit hypothetical or not quickly spreads acrossed the internet faster then Bill Gates can find another security flaw in Windows. My Solaris Servers that face the internet are under constant bombardment from would be windows script kiddies. It doesm't matter to them whether I have a Solaris System or a Windows System. They want to be real hackers and will try anything that is posted. This applies to other systems as well. Cisco has the major market share and therefore is the primary target. Cisco is not Microsoft, and never has been. They have always put their flaws right in peoples faces. The infamous SNMP bug was published and fixed long before CERT published it. Cisco has a PSIRT team whose soul function in life is security risk accessment. I have never known Cisco to call a potential Security threat Entertainment. Perhaps we should send your response to this to John Chambers and see what he will say. I still remember his e-mail address since I too am an ex-cisco employee. Regards, Pete Peter P. Benac, CCNA Emacolet Networking Services, Inc Providing Systems and Network Consulting, Training, Web Hosting Services Phone: 919-847-1740 or 866-701-2345 Web: http://www.emacolet.com Need quick reliable Systems or Network Management advice visit http://www.nmsusers.org To have principles... First have courage.. With principles comes integrity!!! I sincerly hope that Cisco is not becoming Microsoft. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72570t=72463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: a really big bug [7:72463]
I would like the opinion of the group as to what they are suggesting to customers or doing on there own network. I am of the opinion that as long as the network (Intranet) has been correctly protected, firewalls/ACL on the perimeter and that the internal network device IP's are not accessible from the Internet there should be no immediate requirement to go through the entire network upgrading the IOS. This could introduce some new bug/issue into the network that will have more catastrophic consequences than the remote possibility of someone attacking a router/switch and causing a port to stop forwarding packets for a small time period. The work around for fixing a device that has been attacked is to simply increase the Input buffer (this will allow the port to start forwarding packets again) and then schedule a reload. This is much more predictable than introducing a new bug (known or unknown) into the network by upgrading all the devices. If there was already a project underway to upgrade the network then obviously upgrade to the fixed versions. So my stand point is to ensure that the perimeter devices offer the required protection against this attack and not upgrade a stable and functional network based only on this vulnerability. Again this is my opinion and I just want to find out if I am way off base or if this is what other professionals are doing. Thanks Doug -Original Message- From: Peter Benac [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 7:44 AM To: [EMAIL PROTECTED] Subject: Re: a really big bug [7:72463] I am glad you are not representative of the current Cisco Culture. Your attitude in this matter really is not acceptable and I would hope that Cisco's attitude would be better. Any exploit hypothetical or not quickly spreads acrossed the internet faster then Bill Gates can find another security flaw in Windows. My Solaris Servers that face the internet are under constant bombardment from would be windows script kiddies. It doesm't matter to them whether I have a Solaris System or a Windows System. They want to be real hackers and will try anything that is posted. This applies to other systems as well. Cisco has the major market share and therefore is the primary target. Cisco is not Microsoft, and never has been. They have always put their flaws right in peoples faces. The infamous SNMP bug was published and fixed long before CERT published it. Cisco has a PSIRT team whose soul function in life is security risk accessment. I have never known Cisco to call a potential Security threat Entertainment. Perhaps we should send your response to this to John Chambers and see what he will say. I still remember his e-mail address since I too am an ex-cisco employee. Regards, Pete Peter P. Benac, CCNA Emacolet Networking Services, Inc Providing Systems and Network Consulting, Training, Web Hosting Services Phone: 919-847-1740 or 866-701-2345 Web: http://www.emacolet.com Need quick reliable Systems or Network Management advice visit http://www.nmsusers.org To have principles... First have courage.. With principles comes integrity!!! I sincerly hope that Cisco is not becoming Microsoft. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72574t=72463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: a really big bug [7:72463]
Zsombor Papp 7/18/03 8:40:09 AM Perhaps you slightly misunderstood my attitude and are jumping to conclusions so that you can put a convenient label on me. From my vantage point this does seem to be a misunderstanding among those involved. I don't think people were trying to label you, per say, they just sensed that you were 'copping an attitude' when it sounds like you weren't. My vote is that we chalk it up to misunderstanding, knowing that postings and emails often don't do a great job of conveying intent or emotion. Regarding your change of address, I'd prefer that you stick with the Cisco address. There are a few participants that work for Cisco and we all understand that they participate for personal reasons, not as official representatives of Cisco. Besides, the last thing we need is more Yahoo users. ;-) Regards, John I am not saying that Cisco should keep security problems a secret, rather that dissemination of information about sensitive issues posing a security threat to many should be carefully considered and coordinated. If you have access to the applicable bug reports, you will see that it was exactly the PSIRT team who carefully edited/removed all enclosures to make sure that the information necessary to reproduce the attack is not easily extracted. All the protocol names were replaced by XXX, for example. Personally, I was impressed by the thorough job they did. The only hints I could find were the code diffs. Now, does this mean that Cisco wants to hide the problems? Not at all. As you say, Cisco has always been good at publishing security flaws. The Security Advisory in question is still being updated, too. So I think Cisco has deserved some patience and the right to decide when to publish what information. Having said that, I am not writing to this mailing list as a representative of Cisco. What I say is my personal opinion (and believe it or not, it is not influenced by the fact that I work for Cisco -- only what I do *not* say is influenced by that fact). I am using my Cisco email because it is convenient. I have hoped that people on this list are mature enough to realize this, but perhaps I was wrong. I will switch to Yahoo now. Perhaps we should send your response to this to John Chambers and see what he will say. Will you also tell your daddy/bigger brother about me? :) Thanks, Zsombor At 11:43 AM 7/18/2003 +, Peter Benac wrote: I am glad you are not representative of the current Cisco Culture. Your attitude in this matter really is not acceptable and I would hope that Cisco's attitude would be better. Any exploit hypothetical or not quickly spreads acrossed the internet faster then Bill Gates can find another security flaw in Windows. My Solaris Servers that face the internet are under constant bombardment from would be windows script kiddies. It doesm't matter to them whether I have a Solaris System or a Windows System. They want to be real hackers and will try anything that is posted. This applies to other systems as well. Cisco has the major market share and therefore is the primary target. Cisco is not Microsoft, and never has been. They have always put their flaws right in peoples faces. The infamous SNMP bug was published and fixed long before CERT published it. Cisco has a PSIRT team whose soul function in life is security risk accessment. I have never known Cisco to call a potential Security threat Entertainment. Perhaps we should send your response to this to John Chambers and see what he will say. I still remember his e-mail address since I too am an ex-cisco employee. Regards, Pete Peter P. Benac, CCNA Emacolet Networking Services, Inc Providing Systems and Network Consulting, Training, Web Hosting Services Phone: 919-847-1740 or 866-701-2345 Web: http://www.emacolet.com Need quick reliable Systems or Network Management advice visit http://www.nmsusers.org To have principles... First have courage.. With principles comes integrity!!! I sincerly hope that Cisco is not becoming Microsoft. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72576t=72463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: a really big bug [7:72463]
I do not agree, although I believe my own co-worker does. Where do you think attacks on the Internet are launched from? Yes, there may be some looser of a person (script kiddie) launching an attack from their home network, but I'd guess that a fair amount of attacks are launched from inside corporate networks (or universities). With that said, it is obvious that the first and most important fix be on the outside, Internet accessible, IOS devices. However, I do not believe that internal devices are immune. They will be until easy-to-use exploit tools become available (how many organizations have competent black-hats inside their network that will be capable of determining the magic packets on their own?), but I wouldn't be willing to bet on that timeframe. It sounds to me, from my reading of the advisory, that it's a little more complicated than simply increasing the input buffer. With a default of 75 on some routers, it wouldn't take that much traffic to completely block ALL interfaces on a device so that you couldn't even get to it to increase the buffers, and it doesn't take a rocket scientist to figure that out. In all likelihood an attack would spew out the appropriate number of packets to all router interfaces in your entire network, that's what I would do if I were launching an attack, a task likely accomplishable in a small number of seconds. Because of this, you may not even be able to determine where the attack was coming from, and your entire network would be down until you manually reset each IOS device, even at remote sites, which may take quite a while to do. As soon as you reset the device, its interfaces would be blocked again. So, your only recourse would be to unplug the device from the network entirely, upgrade the IOS, and then put it back in the network. Actually, it may not be as bad as that. Wherever the attack is originating from wouldn't be able to get past their immediate default router once it was blocked. So, a successful system-wide attack would have to start at the edges of the network, disabling them and then moving towards the attacker. Still doable in a short amount of time, but some planning would be required. It would also mean that you would need to start rebooting / upgrading at your network edge before you tackle the core (assuming the attacker was at the core) because as soon as you opened up the core then the attacker would be able to disable the network again. This could be a way of finding the attacker. Unless it is designed as a DDoS. Then you are screwed. In order to defend against an attack you need to imagine how you would devise one. I'd be willing to bet that I could disable your whole entire network if I were given access inside somehow (VPN, dial-up, etc), and I had access to the magic packets. Will this doomsday scenario materialize quickly? I don't believe so. However, since I build and support networks in hospitals not doing anything is not an option. Keep in mind that most hospitals have a hard time scheduling time for maintenance. It will likely take a few months to get all devices upgraded. (Scheduling at night is sometimes not better than in the morning, as after dark and after bars close is usually not a good time to have the lab interface, or MRI devices, off-line. Shift change is also usually not a good option, nor is the time that doctors make their rounds). My recommendation would be to upgrade all IOS devices as maintenance windows allow. At a minimum install the ACLs that Cisco recommends on all routers immediately. Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: Robertson, Douglas [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 10:34 AM To: [EMAIL PROTECTED] Subject: RE: a really big bug [7:72463] I would like the opinion of the group as to what they are suggesting to customers or doing on there own network. I am of the opinion that as long as the network (Intranet) has been correctly protected, firewalls/ACL on the perimeter and that the internal network device IP's are not accessible from the Internet there should be no immediate requirement to go through the entire network upgrading the IOS. This could introduce some new bug/issue into the network that will have more catastrophic consequences than the remote possibility of someone attacking a router/switch and causing a port to stop forwarding packets for a small time period
RE: a really big bug [7:72463]
We installed acl's on all our routers last night, which was the Workaround.. Larry Letterman Cisco Systems -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robertson, Douglas Sent: Friday, July 18, 2003 7:34 AM To: [EMAIL PROTECTED] Subject: RE: a really big bug [7:72463] I would like the opinion of the group as to what they are suggesting to customers or doing on there own network. I am of the opinion that as long as the network (Intranet) has been correctly protected, firewalls/ACL on the perimeter and that the internal network device IP's are not accessible from the Internet there should be no immediate requirement to go through the entire network upgrading the IOS. This could introduce some new bug/issue into the network that will have more catastrophic consequences than the remote possibility of someone attacking a router/switch and causing a port to stop forwarding packets for a small time period. The work around for fixing a device that has been attacked is to simply increase the Input buffer (this will allow the port to start forwarding packets again) and then schedule a reload. This is much more predictable than introducing a new bug (known or unknown) into the network by upgrading all the devices. If there was already a project underway to upgrade the network then obviously upgrade to the fixed versions. So my stand point is to ensure that the perimeter devices offer the required protection against this attack and not upgrade a stable and functional network based only on this vulnerability. Again this is my opinion and I just want to find out if I am way off base or if this is what other professionals are doing. Thanks Doug -Original Message- From: Peter Benac [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 7:44 AM To: [EMAIL PROTECTED] Subject: Re: a really big bug [7:72463] I am glad you are not representative of the current Cisco Culture. Your attitude in this matter really is not acceptable and I would hope that Cisco's attitude would be better. Any exploit hypothetical or not quickly spreads acrossed the internet faster then Bill Gates can find another security flaw in Windows. My Solaris Servers that face the internet are under constant bombardment from would be windows script kiddies. It doesm't matter to them whether I have a Solaris System or a Windows System. They want to be real hackers and will try anything that is posted. This applies to other systems as well. Cisco has the major market share and therefore is the primary target. Cisco is not Microsoft, and never has been. They have always put their flaws right in peoples faces. The infamous SNMP bug was published and fixed long before CERT published it. Cisco has a PSIRT team whose soul function in life is security risk accessment. I have never known Cisco to call a potential Security threat Entertainment. Perhaps we should send your response to this to John Chambers and see what he will say. I still remember his e-mail address since I too am an ex-cisco employee. Regards, Pete Peter P. Benac, CCNA Emacolet Networking Services, Inc Providing Systems and Network Consulting, Training, Web Hosting Services Phone: 919-847-1740 or 866-701-2345 Web: http://www.emacolet.com Need quick reliable Systems or Network Management advice visit http://www.nmsusers.org To have principles... First have courage.. With principles comes integrity!!! I sincerly hope that Cisco is not becoming Microsoft. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72582t=72463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: a really big bug [7:72463]
Pete just informed me that CERT just released an advisory that the exploit was posted publicly. Sure glad I didn't bet on the timeframe! Plus, there are indications that this has been seen in the wild. Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: Reimer, Fred [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 1:13 PM To: [EMAIL PROTECTED] Subject: RE: a really big bug [7:72463] I do not agree, although I believe my own co-worker does. Where do you think attacks on the Internet are launched from? Yes, there may be some looser of a person (script kiddie) launching an attack from their home network, but I'd guess that a fair amount of attacks are launched from inside corporate networks (or universities). With that said, it is obvious that the first and most important fix be on the outside, Internet accessible, IOS devices. However, I do not believe that internal devices are immune. They will be until easy-to-use exploit tools become available (how many organizations have competent black-hats inside their network that will be capable of determining the magic packets on their own?), but I wouldn't be willing to bet on that timeframe. It sounds to me, from my reading of the advisory, that it's a little more complicated than simply increasing the input buffer. With a default of 75 on some routers, it wouldn't take that much traffic to completely block ALL interfaces on a device so that you couldn't even get to it to increase the buffers, and it doesn't take a rocket scientist to figure that out. In all likelihood an attack would spew out the appropriate number of packets to all router interfaces in your entire network, that's what I would do if I were launching an attack, a task likely accomplishable in a small number of seconds. Because of this, you may not even be able to determine where the attack was coming from, and your entire network would be down until you manually reset each IOS device, even at remote sites, which may take quite a while to do. As soon as you reset the device, its interfaces would be blocked again. So, your only recourse would be to unplug the device from the network entirely, upgrade the IOS, and then put it back in the network. Actually, it may not be as bad as that. Wherever the attack is originating from wouldn't be able to get past their immediate default router once it was blocked. So, a successful system-wide attack would have to start at the edges of the network, disabling them and then moving towards the attacker. Still doable in a short amount of time, but some planning would be required. It would also mean that you would need to start rebooting / upgrading at your network edge before you tackle the core (assuming the attacker was at the core) because as soon as you opened up the core then the attacker would be able to disable the network again. This could be a way of finding the attacker. Unless it is designed as a DDoS. Then you are screwed. In order to defend against an attack you need to imagine how you would devise one. I'd be willing to bet that I could disable your whole entire network if I were given access inside somehow (VPN, dial-up, etc), and I had access to the magic packets. Will this doomsday scenario materialize quickly? I don't believe so. However, since I build and support networks in hospitals not doing anything is not an option. Keep in mind that most hospitals have a hard time scheduling time for maintenance. It will likely take a few months to get all devices upgraded. (Scheduling at night is sometimes not better than in the morning, as after dark and after bars close is usually not a good time to have the lab interface, or MRI devices, off-line. Shift change is also usually not a good option, nor is the time that doctors make their rounds). My recommendation would be to upgrade all IOS devices as maintenance windows allow. At a minimum install the ACLs that Cisco recommends on all routers immediately. Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named
Re: a really big bug [7:72463]
or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: Robertson, Douglas [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 10:34 AM To: [EMAIL PROTECTED] Subject: RE: a really big bug [7:72463] I would like the opinion of the group as to what they are suggesting to customers or doing on there own network. I am of the opinion that as long as the network (Intranet) has been correctly protected, firewalls/ACL on the perimeter and that the internal network device IP's are not accessible from the Internet there should be no immediate requirement to go through the entire network upgrading the IOS. This could introduce some new bug/issue into the network that will have more catastrophic consequences than the remote possibility of someone attacking a router/switch and causing a port to stop forwarding packets for a small time period. The work around for fixing a device that has been attacked is to simply increase the Input buffer (this will allow the port to start forwarding packets again) and then schedule a reload. This is much more predictable than introducing a new bug (known or unknown) into the network by upgrading all the devices. If there was already a project underway to upgrade the network then obviously upgrade to the fixed versions. So my stand point is to ensure that the perimeter devices offer the required protection against this attack and not upgrade a stable and functional network based only on this vulnerability. Again this is my opinion and I just want to find out if I am way off base or if this is what other professionals are doing. Thanks Doug Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72588t=72463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: a really big bug [7:72463]
Cisco must face interesting dilemmas regarding what is done on the corporate net side of things. If it's any of my beeswax, do you pretty much forbid attachment of research and experimental nets to the main corporate net? Larry Letterman wrote in message news:[EMAIL PROTECTED] We installed acl's on all our routers last night, which was the Workaround.. Larry Letterman Cisco Systems -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robertson, Douglas Sent: Friday, July 18, 2003 7:34 AM To: [EMAIL PROTECTED] Subject: RE: a really big bug [7:72463] I would like the opinion of the group as to what they are suggesting to customers or doing on there own network. I am of the opinion that as long as the network (Intranet) has been correctly protected, firewalls/ACL on the perimeter and that the internal network device IP's are not accessible from the Internet there should be no immediate requirement to go through the entire network upgrading the IOS. This could introduce some new bug/issue into the network that will have more catastrophic consequences than the remote possibility of someone attacking a router/switch and causing a port to stop forwarding packets for a small time period. The work around for fixing a device that has been attacked is to simply increase the Input buffer (this will allow the port to start forwarding packets again) and then schedule a reload. This is much more predictable than introducing a new bug (known or unknown) into the network by upgrading all the devices. If there was already a project underway to upgrade the network then obviously upgrade to the fixed versions. So my stand point is to ensure that the perimeter devices offer the required protection against this attack and not upgrade a stable and functional network based only on this vulnerability. Again this is my opinion and I just want to find out if I am way off base or if this is what other professionals are doing. Thanks Doug -Original Message- From: Peter Benac [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 7:44 AM To: [EMAIL PROTECTED] Subject: Re: a really big bug [7:72463] I am glad you are not representative of the current Cisco Culture. Your attitude in this matter really is not acceptable and I would hope that Cisco's attitude would be better. Any exploit hypothetical or not quickly spreads acrossed the internet faster then Bill Gates can find another security flaw in Windows. My Solaris Servers that face the internet are under constant bombardment from would be windows script kiddies. It doesm't matter to them whether I have a Solaris System or a Windows System. They want to be real hackers and will try anything that is posted. This applies to other systems as well. Cisco has the major market share and therefore is the primary target. Cisco is not Microsoft, and never has been. They have always put their flaws right in peoples faces. The infamous SNMP bug was published and fixed long before CERT published it. Cisco has a PSIRT team whose soul function in life is security risk accessment. I have never known Cisco to call a potential Security threat Entertainment. Perhaps we should send your response to this to John Chambers and see what he will say. I still remember his e-mail address since I too am an ex-cisco employee. Regards, Pete Peter P. Benac, CCNA Emacolet Networking Services, Inc Providing Systems and Network Consulting, Training, Web Hosting Services Phone: 919-847-1740 or 866-701-2345 Web: http://www.emacolet.com Need quick reliable Systems or Network Management advice visit http://www.nmsusers.org To have principles... First have courage.. With principles comes integrity!!! I sincerly hope that Cisco is not becoming Microsoft. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72589t=72463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: a really big bug [7:72463]
be to upgrade all IOS devices as maintenance windows allow. At a minimum install the ACLs that Cisco recommends on all routers immediately. Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: Robertson, Douglas [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 10:34 AM To: [EMAIL PROTECTED] Subject: RE: a really big bug [7:72463] I would like the opinion of the group as to what they are suggesting to customers or doing on there own network. I am of the opinion that as long as the network (Intranet) has been correctly protected, firewalls/ACL on the perimeter and that the internal network device IP's are not accessible from the Internet there should be no immediate requirement to go through the entire network upgrading the IOS. This could introduce some new bug/issue into the network that will have more catastrophic consequences than the remote possibility of someone attacking a router/switch and causing a port to stop forwarding packets for a small time period. The work around for fixing a device that has been attacked is to simply increase the Input buffer (this will allow the port to start forwarding packets again) and then schedule a reload. This is much more predictable than introducing a new bug (known or unknown) into the network by upgrading all the devices. If there was already a project underway to upgrade the network then obviously upgrade to the fixed versions. So my stand point is to ensure that the perimeter devices offer the required protection against this attack and not upgrade a stable and functional network based only on this vulnerability. Again this is my opinion and I just want to find out if I am way off base or if this is what other professionals are doing. Thanks Doug Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72592t=72463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: a really big bug [7:72463]
Correct me if i am wrong but an ACl on the interface that denies all traffic DEST to your router will prevent this full queue status I haven't had time to read as much as i should. I placed 12.3 on my routers 2 weeks ago. The way i understand it is that i am ok.. I don't feel that way but that what i have heard.. Sorry for being out of the loop but i have been in class this week and haven't had time to read up on this Thank you, Seth -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 1:49 PM To: [EMAIL PROTECTED] Subject: Re: a really big bug [7:72463] Alas, are we going to see the demise of trace-route as a useful troubleshooting and performance tracking tool? Probably would make sense. It sure makes it easy to find router addresses! :-) Good to have you back, Chuck. I hope the road is treating you well. Priscilla Chuck Whose Road is Ever Shorte wrote: Nice post. a couple of thoughts in line below: Reimer, Fred wrote in message news:[EMAIL PROTECTED] I do not agree, although I believe my own co-worker does. Where do you think attacks on the Internet are launched from? Yes, there may be some looser of a person (script kiddie) launching an attack from their home network, but I'd guess that a fair amount of attacks are launched from inside corporate networks (or universities). especially universities and other educational intisutions - don't forget your tech schools :- With that said, it is obvious that the first and most important fix be on the outside, Internet accessible, IOS devices. However, I do not believe that internal devices are immune. They will be until easy-to-use exploit tools become available (how many organizations have competent black-hats inside their network that will be capable of determining the magic packets on their own?), but I wouldn't be willing to bet on that timeframe. It sounds to me, from my reading of the advisory, that it's a little more complicated than simply increasing the input buffer. With a default of 75 on some routers, it wouldn't take that much traffic to completely block ALL interfaces on a device so that you couldn't even get to it to increase the buffers, and it doesn't take a rocket scientist to figure that out. In all likelihood an attack would spew out the appropriate number of packets to all router interfaces in your entire network, that's what I would do if I were launching an attack, a task likely accomplishable in a small number of seconds. Because of this, you may not even be able to determine where the attack was coming from, and your entire network would be down until you manually reset each IOS device, even at remote sites, which may take quite a while to do. As soon as you reset the device, its interfaces would be blocked again. So, your only recourse would be to unplug the device from the network entirely, upgrade the IOS, and then put it back in the network. it occurs to me that an attack of this nature requires the patience to seek out and record the ips of all router interfaces. the ethernet side is usually not to difficult. most folks use the same ip host number on all of their routers, all of their subnets. usually 1, 100, 101 or 254. Discovering WAN interface addressing would be more difficult, but traceroute has its purpose ;- Which leads to the advice that a well constructed access-list might also include methods for suppressing reporting of this information. Actually, it may not be as bad as that. Wherever the attack is originating from wouldn't be able to get past their immediate default router once it was blocked. So, a successful system-wide attack would have to start at the edges of the network, disabling them and then moving towards the attacker. Still doable in a short amount of time, but some planning would be required. It would also mean that you would need to start rebooting / upgrading at your network edge before you tackle the core (assuming the attacker was at the core) because as soon as you opened up the core then the attacker would be able to disable the network again. This could be a way of finding the attacker. this does not address the mobile user or the trusted consultant both of which many enterprises have many. Unless it is designed as a DDoS. Then you are screwed. In order to defend against an attack you need to imagine how you would devise one. I'd be willing to bet that I could disable your whole entire network if I were given access inside somehow (VPN, dial-up, etc), and I had access to the magic packets. don't forget your wireless, particularly those rogue access points. Will this doomsday scenario materialize quickly? I don't believe so. However, since I build and support networks in hospitals not doing anything is not an option. Keep
Re: a really big bug [7:72463]
So having a firewall in front of the edge will not stop the packets? We have a unique setup with bridging in place so we don't have a router in front of the firewall, just plugging straight into the outside port on a 515e. we do have a 3745 at the collapsed core that feeds to all of our remote sites by T1. Any insight on this is appreciated. Thanks Adam - Original Message - From: Chuck Whose Road is Ever Shorter To: Sent: Thursday, July 17, 2003 10:22 PM Subject: Re: a really big bug [7:72463] Daniel Cotts wrote in message news:[EMAIL PROTECTED] 53 SWIPE IP with Encryption[JI6] 55 MOBILE IP Mobility [Perkins] oh great. so any joker with a wireless LAN card can crash your Cisco wireless network, security or no? 77 SUN-ND SUN ND PROTOCOL-Temporary [WM3] 103 PIM Protocol Independent Multicast [Farinacci] -Original Message- From: Lance Warner [mailto:[EMAIL PROTECTED] They are not port numbers but rather *protocol* numbers Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72600t=72463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: a really big bug [7:72463]
Our engineering labs would be the experimental part of your Statement, they are connected to the backbone through gateways that Have strict acl's and statics. They can also be blackholed in a few Seconds time if they are causing any issues. Larry Letterman Cisco Systems -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 11:41 AM To: [EMAIL PROTECTED] Subject: Re: a really big bug [7:72463] Cisco must face interesting dilemmas regarding what is done on the corporate net side of things. If it's any of my beeswax, do you pretty much forbid attachment of research and experimental nets to the main corporate net? Larry Letterman wrote in message news:[EMAIL PROTECTED] We installed acl's on all our routers last night, which was the Workaround.. Larry Letterman Cisco Systems -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robertson, Douglas Sent: Friday, July 18, 2003 7:34 AM To: [EMAIL PROTECTED] Subject: RE: a really big bug [7:72463] I would like the opinion of the group as to what they are suggesting to customers or doing on there own network. I am of the opinion that as long as the network (Intranet) has been correctly protected, firewalls/ACL on the perimeter and that the internal network device IP's are not accessible from the Internet there should be no immediate requirement to go through the entire network upgrading the IOS. This could introduce some new bug/issue into the network that will have more catastrophic consequences than the remote possibility of someone attacking a router/switch and causing a port to stop forwarding packets for a small time period. The work around for fixing a device that has been attacked is to simply increase the Input buffer (this will allow the port to start forwarding packets again) and then schedule a reload. This is much more predictable than introducing a new bug (known or unknown) into the network by upgrading all the devices. If there was already a project underway to upgrade the network then obviously upgrade to the fixed versions. So my stand point is to ensure that the perimeter devices offer the required protection against this attack and not upgrade a stable and functional network based only on this vulnerability. Again this is my opinion and I just want to find out if I am way off base or if this is what other professionals are doing. Thanks Doug -Original Message- From: Peter Benac [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 7:44 AM To: [EMAIL PROTECTED] Subject: Re: a really big bug [7:72463] I am glad you are not representative of the current Cisco Culture. Your attitude in this matter really is not acceptable and I would hope that Cisco's attitude would be better. Any exploit hypothetical or not quickly spreads acrossed the internet faster then Bill Gates can find another security flaw in Windows. My Solaris Servers that face the internet are under constant bombardment from would be windows script kiddies. It doesm't matter to them whether I have a Solaris System or a Windows System. They want to be real hackers and will try anything that is posted. This applies to other systems as well. Cisco has the major market share and therefore is the primary target. Cisco is not Microsoft, and never has been. They have always put their flaws right in peoples faces. The infamous SNMP bug was published and fixed long before CERT published it. Cisco has a PSIRT team whose soul function in life is security risk accessment. I have never known Cisco to call a potential Security threat Entertainment. Perhaps we should send your response to this to John Chambers and see what he will say. I still remember his e-mail address since I too am an ex-cisco employee. Regards, Pete Peter P. Benac, CCNA Emacolet Networking Services, Inc Providing Systems and Network Consulting, Training, Web Hosting Services Phone: 919-847-1740 or 866-701-2345 Web: http://www.emacolet.com Need quick reliable Systems or Network Management advice visit http://www.nmsusers.org To have principles... First have courage.. With principles comes integrity!!! I sincerly hope that Cisco is not becoming Microsoft. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72604t=72463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
a really big bug [7:72463]
Cisco Security Advisory: Cisco IOS Interface Blocked by IPv4 Packet lots and lots of IOS versions are affected http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72463t=72463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: a really big bug [7:72463]
Oscar wrote: Cisco Security Advisory: Cisco IOS Interface Blocked by IPv4 Packet lots and lots of IOS versions are affected http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml Thanks for the link. It's scary. Of course, with the proper ACLs, a router wouldn't be affected, but probably lots of routers don't have the proper ACLs. Anyone know the details? The advisory just says this: A rare, specially crafted sequence of IPv4 packets which is handled by the processor on a Cisco IOS device may force the device to incorrectly flag the input queue on an interface as full, which will cause the router to stop processing inbound traffic on that interface. This can cause routing protocols to drop due to dead timers. I think Cisco was right not to publish the details about these rare, specially crafted packets, but does anyone have the details? Maybe if you can get to the bugtracker, the details are in there. Thanks Priscilla Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72487t=72463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: a really big bug [7:72463]
Zsombor Papp wrote: At 04:33 PM 7/17/2003 +, Priscilla Oppenheimer wrote: I think Cisco was right not to publish the details about these rare, specially crafted packets, I think so. Along the same lines, you also shouldn't publish it even if you know it. :) but does anyone have the details? Maybe if you can get to the bugtracker, the details are in there. Usually these details are carefully removed from every publicly available document after they turn out to be a security risk. Of course, the details will get published. I was just hoping someone could help me be more efficient in finding the details. The routers at my ISP (my husband's company) aren't Cisco but we will be affected by attempts with these packets. What do the packets look like? What should we be on the lookout for? We will probably have to program our IDS to protect ourselves. For anyone new to the thread, I'm talking about the packets mentioned in this Cisco advisory: Cisco Security Advisory: Cisco IOS Interface Blocked by IPv4 Packet http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml Thanks, Priscilla Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72494t=72463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: a really big bug [7:72463]
At 04:33 PM 7/17/2003 +, Priscilla Oppenheimer wrote: I think Cisco was right not to publish the details about these rare, specially crafted packets, I think so. Along the same lines, you also shouldn't publish it even if you know it. :) but does anyone have the details? Maybe if you can get to the bugtracker, the details are in there. Usually these details are carefully removed from every publicly available document after they turn out to be a security risk. Thanks, Zsombor Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72492t=72463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: a really big bug [7:72463]
Just got a call from our Cisco vendor...he said he's getting calls from some major clients that have routers that are affected. -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED] Sent: Thursday, July 17, 2003 12:34 PM To: [EMAIL PROTECTED] Subject: RE: a really big bug [7:72463] Oscar wrote: Cisco Security Advisory: Cisco IOS Interface Blocked by IPv4 Packet lots and lots of IOS versions are affected http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml Thanks for the link. It's scary. Of course, with the proper ACLs, a router wouldn't be affected, but probably lots of routers don't have the proper ACLs. Anyone know the details? The advisory just says this: A rare, specially crafted sequence of IPv4 packets which is handled by the processor on a Cisco IOS device may force the device to incorrectly flag the input queue on an interface as full, which will cause the router to stop processing inbound traffic on that interface. This can cause routing protocols to drop due to dead timers. I think Cisco was right not to publish the details about these rare, specially crafted packets, but does anyone have the details? Maybe if you can get to the bugtracker, the details are in there. Thanks Priscilla Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72497t=72463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: a really big bug [7:72463]
Priscilla Oppenheimer wrote: Oscar wrote: Cisco Security Advisory: Cisco IOS Interface Blocked by IPv4 Packet lots and lots of IOS versions are affected http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml Thanks for the link. It's scary. Of course, with the proper ACLs, a router wouldn't be affected, but probably lots of routers don't have the proper ACLs. Anyone know the details? The advisory just says this: Don't know the details but talking with a couple of Cisco engineers they don't know of anyone being hit. It's a good wakeup for those that don't already have common sense ACLs to get them in place and for others to upgrade routers that are running old IOS! Dave A rare, specially crafted sequence of IPv4 packets which is handled by the processor on a Cisco IOS device may force the device to incorrectly flag the input queue on an interface as full, which will cause the router to stop processing inbound traffic on that interface. This can cause routing protocols to drop due to dead timers. I think Cisco was right not to publish the details about these rare, specially crafted packets, but does anyone have the details? Maybe if you can get to the bugtracker, the details are in there. Thanks Priscilla -- David Madland CCIE# 2016 Sr. Network Engineer Qwest Communications 612-664-3367 Government can do something for the people only in proportion as it can do something to the people. -- Thomas Jefferson Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72503t=72463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: a really big bug [7:72463]
Cisco advised us of a new catastrophic bug CSCeb56052 within the new IOS. -Original Message- From: Arnold, Jamie [mailto:[EMAIL PROTECTED] Sent: Thursday, July 17, 2003 1:54 PM To: [EMAIL PROTECTED] Subject: RE: a really big bug [7:72463] Just got a call from our Cisco vendor...he said he's getting calls from some major clients that have routers that are affected. -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED] Sent: Thursday, July 17, 2003 12:34 PM To: [EMAIL PROTECTED] Subject: RE: a really big bug [7:72463] Oscar wrote: Cisco Security Advisory: Cisco IOS Interface Blocked by IPv4 Packet lots and lots of IOS versions are affected http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml Thanks for the link. It's scary. Of course, with the proper ACLs, a router wouldn't be affected, but probably lots of routers don't have the proper ACLs. Anyone know the details? The advisory just says this: A rare, specially crafted sequence of IPv4 packets which is handled by the processor on a Cisco IOS device may force the device to incorrectly flag the input queue on an interface as full, which will cause the router to stop processing inbound traffic on that interface. This can cause routing protocols to drop due to dead timers. I think Cisco was right not to publish the details about these rare, specially crafted packets, but does anyone have the details? Maybe if you can get to the bugtracker, the details are in there. Thanks Priscilla Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72509t=72463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: a really big bug [7:72463]
I was on a conference call with Cisco and the Cisco rep felt we were overreacting by rushing to change our code right away, He said that the packet was extremely difficult to create and the person would have to be a genius to make it. Duncan At 04:33 PM 7/17/2003 +, Priscilla Oppenheimer wrote: Oscar wrote: Cisco Security Advisory: Cisco IOS Interface Blocked by IPv4 Packet lots and lots of IOS versions are affected http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml Thanks for the link. It's scary. Of course, with the proper ACLs, a router wouldn't be affected, but probably lots of routers don't have the proper ACLs. Anyone know the details? The advisory just says this: A rare, specially crafted sequence of IPv4 packets which is handled by the processor on a Cisco IOS device may force the device to incorrectly flag the input queue on an interface as full, which will cause the router to stop processing inbound traffic on that interface. This can cause routing protocols to drop due to dead timers. I think Cisco was right not to publish the details about these rare, specially crafted packets, but does anyone have the details? Maybe if you can get to the bugtracker, the details are in there. Thanks Priscilla Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72510t=72463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: a really big bug [7:72463]
Duncan Maccubbin wrote: I was on a conference call with Cisco and the Cisco rep felt we were overreacting by rushing to change our code right away, He said that the packet was extremely difficult to create and the person would have to be a genius to make it. As we don't know exactly *what* you need to do, it's difficult to say whether he's right or not. But my gut says he's wrong; as soon as you *do* know, there are 'packetfactory'-tools enough about... Regards, Marco. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72513t=72463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: a really big bug [7:72463]
I've read the ACL section of the advisory again and again thinking I missed something and I for the life of me can't find any reference to a particular type of traffic that should be blocked. It looks likes the regular block traffic from sources you know shouldn't be hitting your network (10. -172.16 - 192.168 ) and also block any ports you know your users don't need. Please let me know what I'm missing here. Thanks, Lance Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72521t=72463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: a really big bug [7:72463]
It sounds like this is a hypothetical packet and situation that Cisco quality assurance discovered. I thought it was something already being exploited, but it doesn't sound like it. In that case, I guess I support Cisco not telling us more about it. It's sort of an age-old security question of how much info to publish. The info would help the white hats, but also the black hats. Unfortunately, I can't look at bug reports (even with my guest access!?) Maybe there's more in the bug reports. I still want to know more about these packets. :-) But I guess I'll have to do more research Priscilla M.C. van den Bovenkamp wrote: Duncan Maccubbin wrote: I was on a conference call with Cisco and the Cisco rep felt we were overreacting by rushing to change our code right away, He said that the packet was extremely difficult to create and the person would have to be a genius to make it. As we don't know exactly *what* you need to do, it's difficult to say whether he's right or not. But my gut says he's wrong; as soon as you *do* know, there are 'packetfactory'-tools enough about... Regards, Marco. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72520t=72463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: a really big bug [7:72463]
As we don't know exactly *what* you need to do, it's difficult to say whether he's right or not. But my gut says he's wrong; as soon as you *do* know, there are 'packetfactory'-tools enough about... ..and if you have ONE port accessible from the internet there's about a gazillion possible culprits... Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72532t=72463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: a really big bug [7:72463]
they just edited the page - here are specific ports to block :) http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml#workarounds Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72530t=72463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: a really big bug [7:72463]
At 09:54 PM 7/17/2003 +, Priscilla Oppenheimer wrote: It sounds like this is a hypothetical packet and situation that Cisco quality assurance discovered. I thought it was something already being exploited, but it doesn't sound like it. In that case, I guess I support Cisco not telling us more about it. And in which case wouldn't you? If you are running any of the affected versions, then upgrade the routers or apply the workaround (and if you can't do any of these, then you should be right away grateful for Cisco not being very specific...). If you are not using any of the affected versions (if I understood correctly, you are not even using IOS to start with), then why do you worry about this? I can understand that people's curiosity is always aroused by mysterious things that can kill a router, but keeping other people's production network operational is slightly more important than providing entertainment to the public. :) Thanks, Zsombor It's sort of an age-old security question of how much info to publish. The info would help the white hats, but also the black hats. Unfortunately, I can't look at bug reports (even with my guest access!?) Maybe there's more in the bug reports. I still want to know more about these packets. :-) But I guess I'll have to do more research Priscilla M.C. van den Bovenkamp wrote: Duncan Maccubbin wrote: I was on a conference call with Cisco and the Cisco rep felt we were overreacting by rushing to change our code right away, He said that the packet was extremely difficult to create and the person would have to be a genius to make it. As we don't know exactly *what* you need to do, it's difficult to say whether he's right or not. But my gut says he's wrong; as soon as you *do* know, there are 'packetfactory'-tools enough about... Regards, Marco. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72537t=72463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: a really big bug [7:72463]
At 10:02 PM 7/17/2003 +, Lance Warner wrote: I've read the ACL section of the advisory again and again thinking I missed something and I for the life of me can't find any reference to a particular type of traffic that should be blocked. It looks likes the regular block traffic from sources you know shouldn't be hitting your network (10. -172.16 - 192.168 ) and also block any ports you know your users don't need. Please let me know what I'm missing here. Probably the fact that an exact ACL would also reveal how you can disable the routers of others... :) Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72533t=72463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: a really big bug [7:72463]
They are not port numbers but rather *protocol* numbers Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72542t=72463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: a really big bug [7:72463]
Zsombor Papp wrote: At 09:54 PM 7/17/2003 +, Priscilla Oppenheimer wrote: It sounds like this is a hypothetical packet and situation that Cisco quality assurance discovered. I thought it was something already being exploited, but it doesn't sound like it. In that case, I guess I support Cisco not telling us more about it. And in which case wouldn't you? If you are running any of the affected versions, then upgrade the routers or apply the workaround (and if you can't do any of these, then you should be right away grateful for Cisco not being very specific...). As I explained, I don't use Cisco routers in a production network. But that doesn't stop hackers from attacking us with attacks that work only on Cisco routers. Some attackers are too lazy to try to figure out that we don't have Cisco routers. (It wouldn't be that hard to figure out). We have had crashes on our systems from attackers who thought they were going to do something else because they assumed a certain OS. They didn't succeed in what they were trying to do, but they did wreak havoc. If you are not using any of the affected versions (if I understood correctly, you are not even using IOS to start with), then why do you worry about this? I tried to explain it. Sorry you don't get it. Oh, well. I can understand that people's curiosity is always aroused by mysterious things that can kill a router, but keeping other people's production network operational is slightly more important than providing entertainment to the public. :) It's not entertainment. Duh. By the way, you work at Cisco, right? Are you a good representation of the current employees? I used to work there. A lot of the employees were like you back then too. Priscilla Thanks, Zsombor It's sort of an age-old security question of how much info to publish. The info would help the white hats, but also the black hats. Unfortunately, I can't look at bug reports (even with my guest access!?) Maybe there's more in the bug reports. I still want to know more about these packets. :-) But I guess I'll have to do more research Priscilla M.C. van den Bovenkamp wrote: Duncan Maccubbin wrote: I was on a conference call with Cisco and the Cisco rep felt we were overreacting by rushing to change our code right away, He said that the packet was extremely difficult to create and the person would have to be a genius to make it. As we don't know exactly *what* you need to do, it's difficult to say whether he's right or not. But my gut says he's wrong; as soon as you *do* know, there are 'packetfactory'-tools enough about... Regards, Marco. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72539t=72463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: a really big bug [7:72463]
Cisco has updated the advisory, to version 1.3, which includes a great deal more detail regarding the vulnerability. Priscilla Oppenheimer wrote: It sounds like this is a hypothetical packet and situation that Cisco quality assurance discovered. I thought it was something already being exploited, but it doesn't sound like it. In that case, I guess I support Cisco not telling us more about it. It's sort of an age-old security question of how much info to publish. The info would help the white hats, but also the black hats. Unfortunately, I can't look at bug reports (even with my guest access!?) Maybe there's more in the bug reports. I still want to know more about these packets. :-) But I guess I'll have to do more research Priscilla M.C. van den Bovenkamp wrote: Duncan Maccubbin wrote: I was on a conference call with Cisco and the Cisco rep felt we were overreacting by rushing to change our code right away, He said that the packet was extremely difficult to create and the person would have to be a genius to make it. As we don't know exactly *what* you need to do, it's difficult to say whether he's right or not. But my gut says he's wrong; as soon as you *do* know, there are 'packetfactory'-tools enough about... Regards, Marco. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72541t=72463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: a really big bug [7:72463]
53 SWIPE IP with Encryption[JI6] 55 MOBILE IP Mobility [Perkins] 77 SUN-ND SUN ND PROTOCOL-Temporary [WM3] 103 PIM Protocol Independent Multicast [Farinacci] -Original Message- From: Lance Warner [mailto:[EMAIL PROTECTED] They are not port numbers but rather *protocol* numbers Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72543t=72463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: a really big bug [7:72463]
Daniel Cotts wrote in message news:[EMAIL PROTECTED] 53 SWIPE IP with Encryption[JI6] 55 MOBILE IP Mobility [Perkins] oh great. so any joker with a wireless LAN card can crash your Cisco wireless network, security or no? 77 SUN-ND SUN ND PROTOCOL-Temporary [WM3] 103 PIM Protocol Independent Multicast [Farinacci] -Original Message- From: Lance Warner [mailto:[EMAIL PROTECTED] They are not port numbers but rather *protocol* numbers Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72547t=72463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: a really big bug [7:72463]
At 12:16 AM 7/18/2003 +, Priscilla Oppenheimer wrote: By the way, you work at Cisco, right? Are you a good representation of the current employees? No. Only a few of us post on groupstudy. :) Thanks, Zsombor Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72545t=72463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: a really big bug [7:72463]
Peter? I understand that you are no longer with Cisco, but I thought that you may want to comment on this... Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: Zsombor Papp [mailto:[EMAIL PROTECTED] Sent: Thursday, July 17, 2003 9:44 PM To: [EMAIL PROTECTED] Subject: Re: a really big bug [7:72463] At 12:16 AM 7/18/2003 +, Priscilla Oppenheimer wrote: By the way, you work at Cisco, right? Are you a good representation of the current employees? No. Only a few of us post on groupstudy. :) Thanks, Zsombor Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72553t=72463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
