RE: Cisco IOS Vulnerability
On Thu, 17 Jul 2003, Mikael Abrahamsson wrote: On Wed, 16 Jul 2003, Darrell Kristof wrote: Cisco Security Advisory: Cisco IOS Interface Blocked by IPv4 Packet http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml IS anyone seeing this exploited in the wild? It'd be good to know if we need to do panic upgrade or can schedule it for our next maintenance window (which is during the weekend). According to the cisco advisory, there are no reports of public knowledge of the exploit nor has anyone been detected using the exploit. Since Cisco is keeping the packet information confidential, you can't program an IDS to detect it (i.e. no signature is available). But if your router does hang up, the cisco advisory includes information about checking if you've been hit by this bug; versus the numerous other bugs :-( Cisco stated if they receive any reports of the exploit in the wild, they will re-issue the advisory with the updated information.
Re: Cisco IOS Vulnerability
On Thu, 17 Jul 2003 01:09:36 -0400, Jared Mauch [EMAIL PROTECTED] wrote: http://puck.nether.net/~jared/gigflapping.mp3 Mirrored at http://www.netacc.net/~rtucker/gigflapping.mp3 ... same disclaimers as Jared gives, but I have more bandwidth. :-) -rt (what do you mean I need a new chassis?) -- Ryan Tucker [EMAIL PROTECTED]
RE: Cisco IOS Vulnerability
If Cisco made THIS big a deal of this to not release info to the public, I wouldn't wait. There must be a reason. I had to push and push to get any info and I think they finally gave up because too many people knew. If you notice http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml For Public Release 2003 July 17 at 0:00 UTC (GMT) But at the bottom is says: Distribution This notice will be posted on the Cisco worldwide website at http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml at 21:00 GMT on July 17th, 2003. Hmmm... I think that means 4PM CT TOMORROW! From what I understand they didn't want this to be public until tomorrow afternoon. - D -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mikael Abrahamsson Sent: Thursday, July 17, 2003 12:48 AM To: [EMAIL PROTECTED] Subject: RE: Cisco IOS Vulnerability On Wed, 16 Jul 2003, Darrell Kristof wrote: Cisco Security Advisory: Cisco IOS Interface Blocked by IPv4 Packet http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml IS anyone seeing this exploited in the wild? It'd be good to know if we need to do panic upgrade or can schedule it for our next maintenance window (which is during the weekend). -- Mikael Abrahamssonemail: [EMAIL PROTECTED]
Re: Cisco IOS Vulnerability
The workaround for transit suggests permitting only tcp, udp, icmp, gre, esp, and ah protocols. Is this sufficient to protect the router itself, or do you have to get hard-nosed with specific ACLs (restricting access to all your possible interface addresses)? Jeff
Re: Cisco IOS Vulnerability (going OT)
1) I didn't make this 2) I cna't remmber where i got it from 3) please don't abuse my connection too much tonight There is another thing to play when reloading boxes, above disclaimers 1 and 2 apply. http://www.he.iki.fi/favorites.mpeg Pete
Re: Cisco IOS Vulnerability
On Thu, 17 Jul 2003 01:05:46 CDT, Darrell Kristof [EMAIL PROTECTED] said: If Cisco made THIS big a deal of this to not release info to the public, I wouldn't wait. There must be a reason. I had to push and push to get any info and I think they finally gave up because too many people knew. http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml which says... Customers with contracts should obtain upgraded software free of charge through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on the Cisco worldwide website at http://www.cisco.com/tacpage/sw-center/sw-ios.html.; I may have been a few off, but I counted *139* different trains on that page as being affected. The 12.0S train alone has *13* different rebuilds. And there's *gotta* be at least 3-4 trains that suffer from bad karma and refuse to rebuild unless the Rebuild Wizard comes by and sprinkles Magic Rebuild Dust all over the place, and then there's the special procedure put in place after last year's debacle when the Magic Rebuild Dust got on that llama... ;) In other words - yeah, it's probably important to get this update deployed. But unless somebody has hard evidence to the contrary, I'm betting on it just being an attempt to not let things leak out till they're ready to ship across the board. That's a LOT of trains and rebuilds that all need to be ready at the same time, and Fred Brooks taught us all 30 years ago what happens when you try something like that. :) pgp0.pgp Description: PGP signature
Re: Cisco IOS Vulnerability
On Thu, 17 Jul 2003 [EMAIL PROTECTED] wrote: :should be obtained through the Software Center on the Cisco worldwide website :at http://www.cisco.com/tacpage/sw-center/sw-ios.html I'm getting a 404 not found for that URL, while logged into CCO.
RE: Cisco IOS Vulnerability
It should be: http://www.cisco.com/tacpage/sw-center/sw-ios.shtml The Advisory is being updated. It might even be out there. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Wallingford Sent: Thursday, July 17, 2003 12:18 AM To: [EMAIL PROTECTED] Cc: Darrell Kristof; [EMAIL PROTECTED] Subject: Re: Cisco IOS Vulnerability On Thu, 17 Jul 2003 [EMAIL PROTECTED] wrote: :should be obtained through the Software Center on the Cisco worldwide website :at http://www.cisco.com/tacpage/sw-center/sw-ios.html I'm getting a 404 not found for that URL, while logged into CCO.
Re: Cisco IOS Vulnerability
On Thu, 17 Jul 2003 03:17:32 EDT, Brian Wallingford said: :at http://www.cisco.com/tacpage/sw-center/sw-ios.html I'm getting a 404 not found for that URL, while logged into CCO. Hmm.. you mean Magic Rebuild Dust doesn't work on webpages? ;) But yeah, it's *that* sort of thing that you want to try to iron out before the news gets out - having 139 trains all ready to go at the same time and making sure that TAC doesn't get slashdotted as a result is quite the intricate problem, and the last thing you need is complaints about 404's on webpages that weren't supposed to go live till tomorrow. ;) pgp0.pgp Description: PGP signature
Miami NANOG Feb. 2004
The next-after-next NANOG meeting (NANOG 30, our 10th anniversary) will be held February 8-10, 2004, in Miami, Florida. Our host will be Terremark, who also hosted our winter 2002 meeting. More details later - in the meantime, see you this October in Chicago for our joint meeting with ARIN.
RE: Cisco IOS Vulnerability
On Thu, 17 Jul 2003, Mikael Abrahamsson wrote: IS anyone seeing this exploited in the wild? It'd be good to know if we need to do panic upgrade or can schedule it for our next maintenance window (which is during the weekend). Well, there's this from Wednesday afternoon... - Dear ATT IP Services Customer: - - Please be advised of the following: - - This is a preliminary notification to inform you that ATT IP Services - experienced an impairment that may have affected some customer traffic - on the West Coast. [The above is is a mild understatement...] - Our Network Engineers have resolved the issue and are currently - investigating the root cause. A follow-up email will be sent at - the conclusion of the investigation with more information. [Nothing received yet...] This was rumored to be a backhoe fade but the advisory refers only to IP services and there was nothing in the popular press about any major phone outage, so I have my suspicions. Usually if there's a fiber cut they say so. About this time is when all of the major backbones began flooding the net with their notices of panic upgrades. (This is being typed while watching rows and rows of !!!). -- Jay Hennigan - CCIE #7880 - Network Administration - [EMAIL PROTECTED] WestNet: Connecting you to the planet. 805 884-6323 WB6RDV NetLojix Communications, Inc. - http://www.netlojix.com/
Re: Cisco IOS Vulnerability now in the news
July 17, 2003DoS Flaw in Cisco Router, Switches By Ryan Naraine http://www.atnewyork.com/news/article.php/2236591
Re: Cisco IOS Vulnerability now in the news
At 11:00 AM 7/17/2003, Henry Linneweh wrote: July 17, 2003 DoS Flaw in Cisco Router, Switches By Ryan Naraine http://www.atnewyork.com/news/article.php/2236591http://www.atnewyork.com/news/article.php/2236591 Cisco Admits Flaw in Networking Software By MATTHEW FORDAHL, AP Technology Writer http://story.news.yahoo.com/news?tmpl=storycid=528ncid=528e=5u=/ap/20030717/ap_on_hi_te/cisco_vulnerability
Re: Cisco IOS Vulnerability
[EMAIL PROTECTED] wrote: In other words - yeah, it's probably important to get this update deployed. But unless somebody has hard evidence to the contrary, I'm betting on it just being an attempt to not let things leak out till they're ready to ship across the board. That's a LOT of trains and rebuilds that all need to be ready at the same time, and Fred Brooks taught us all 30 years ago what happens when you try something like that. :) One of the 12.2 lines I have to use shows a post of June, 25. My guess is that they started rebuilding some of the later IOS versions and worked their way back. My 12.0S line didn't post until today. -Jack
Re: Cisco IOS Vulnerability
Sean Donelan wrote: Cisco stated if they receive any reports of the exploit in the wild, they will re-issue the advisory with the updated information. Sendmail root exploit took less than 24 hours to craft. I suspect that this exploit will be found within 48 hours. Enough information was provided to quickly guess where the problem lies with IPv4 processing. -Jack
Fixed IOS datestamps?
I started collecting the new IOS files for tonight's reboot of the Internet, and I had a quick question. The datestamps on a lot of the maintainence releases are months old, and I just want to make sure I'm getting the right stuff, as they say, so we don't have to do this dance again tomorrow. For example, 12.0S users are recommended to go to 12.0(25)S, which at least for the GSR is dated April 14, 2003. Do I have the right build of 12.0(25)S or will there be one with a date closer to the revelation of the exploit showing up on the cisco FTP site? Thanks -Scott
Re: Fixed IOS datestamps?
Scott Call wrote: For example, 12.0S users are recommended to go to 12.0(25)S, which at least for the GSR is dated April 14, 2003. Do I have the right build of 12.0(25)S or will there be one with a date closer to the revelation of the exploit showing up on the cisco FTP site? I think that's a typo. 12.0(25)S gave me that it was vulnerable and I needed 12.0(25)S1. -Jack
RE: Fixed IOS datestamps?
I had the same problem, with no resolution from any of my contacts yet either (perhaps they're busy?)... In my case, 12.2(14)S is a recommended option for 7200s (but built a while back), but that leaves me wondering about 12.2(14)S2 and 12.2(14)S3 (the last of which was at least built recently). Perhaps someone on the list has already compiled a quick here's a good set of releases for ISPs list that covers the obvious router choices? I'm also having trouble deciphering whether or not there's an old enough release that isn't affected by the bug for 2511 and 2611, since the bug tool data isn't the same as the vulnerability announcement list. Matthew Kaufman [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Call Sent: Thursday, July 17, 2003 11:52 AM To: [EMAIL PROTECTED] Subject: Fixed IOS datestamps? I started collecting the new IOS files for tonight's reboot of the Internet, and I had a quick question. The datestamps on a lot of the maintainence releases are months old, and I just want to make sure I'm getting the right stuff, as they say, so we don't have to do this dance again tomorrow. For example, 12.0S users are recommended to go to 12.0(25)S, which at least for the GSR is dated April 14, 2003. Do I have the right build of 12.0(25)S or will there be one with a date closer to the revelation of the exploit showing up on the cisco FTP site? Thanks -Scott
Re: Cisco IOS Vulnerability
On Thu, 17 Jul 2003, Jack Bates wrote: Sean Donelan wrote: Cisco stated if they receive any reports of the exploit in the wild, they will re-issue the advisory with the updated information. Sendmail root exploit took less than 24 hours to craft. I suspect that this exploit will be found within 48 hours. Enough information was provided to quickly guess where the problem lies with IPv4 processing. Sendmail is open source, IOS is not. Knowing where the problem is and knowing how to exploit it are two entirely different situations. Andy --- Andy Dills Xecunet, Inc. www.xecu.net 301-682-9972 ---
Re: Cisco IOS Vulnerability
On Thursday, Jul 17, 2003, at 15:59 Canada/Eastern, Andy Dills wrote: On Thu, 17 Jul 2003, Jack Bates wrote: Sendmail root exploit took less than 24 hours to craft. I suspect that this exploit will be found within 48 hours. Enough information was provided to quickly guess where the problem lies with IPv4 processing. Sendmail is open source, IOS is not. Knowing where the problem is and knowing how to exploit it are two entirely different situations. If any IOS source code has ever found its way out of cisco since IOS 10.3 (and surely, that must have happened), then it seems reasonable to assume that there are people in the world currently comparing the advisory to the source. Joe
Re: New information on cisco exploit
Alex Rubenstein writes: http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml FYI, be sure to hit shift-reload in your browser so you're not accidentally reading a cached local copy of the older version. You should see version 1.3 as of a few minutes ago. Jim == Jim Duncan, Critical Infrastructure Assurance Group, Cisco Systems, Inc. [EMAIL PROTECTED], +1 919 392 6209, http://www.cisco.com/go/ciag/. PGP: DSS 4096/1024 E09E EA55 DA28 1399 75EB D6A2 7092 9A9C 6DC3 1821