RE: Cisco IOS Vulnerability
On Thu, 17 Jul 2003, Mikael Abrahamsson wrote: On Wed, 16 Jul 2003, Darrell Kristof wrote: Cisco Security Advisory: Cisco IOS Interface Blocked by IPv4 Packet http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml IS anyone seeing this exploited in the wild? It'd be good to know if we need to do panic upgrade or can schedule it for our next maintenance window (which is during the weekend). According to the cisco advisory, there are no reports of public knowledge of the exploit nor has anyone been detected using the exploit. Since Cisco is keeping the packet information confidential, you can't program an IDS to detect it (i.e. no signature is available). But if your router does hang up, the cisco advisory includes information about checking if you've been hit by this bug; versus the numerous other bugs :-( Cisco stated if they receive any reports of the exploit in the wild, they will re-issue the advisory with the updated information.
Re: Cisco IOS Vulnerability
On Thu, 17 Jul 2003 01:09:36 -0400, Jared Mauch [EMAIL PROTECTED] wrote: http://puck.nether.net/~jared/gigflapping.mp3 Mirrored at http://www.netacc.net/~rtucker/gigflapping.mp3 ... same disclaimers as Jared gives, but I have more bandwidth. :-) -rt (what do you mean I need a new chassis?) -- Ryan Tucker [EMAIL PROTECTED]
RE: Cisco IOS Vulnerability
If Cisco made THIS big a deal of this to not release info to the public, I wouldn't wait. There must be a reason. I had to push and push to get any info and I think they finally gave up because too many people knew. If you notice http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml For Public Release 2003 July 17 at 0:00 UTC (GMT) But at the bottom is says: Distribution This notice will be posted on the Cisco worldwide website at http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml at 21:00 GMT on July 17th, 2003. Hmmm... I think that means 4PM CT TOMORROW! From what I understand they didn't want this to be public until tomorrow afternoon. - D -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mikael Abrahamsson Sent: Thursday, July 17, 2003 12:48 AM To: [EMAIL PROTECTED] Subject: RE: Cisco IOS Vulnerability On Wed, 16 Jul 2003, Darrell Kristof wrote: Cisco Security Advisory: Cisco IOS Interface Blocked by IPv4 Packet http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml IS anyone seeing this exploited in the wild? It'd be good to know if we need to do panic upgrade or can schedule it for our next maintenance window (which is during the weekend). -- Mikael Abrahamssonemail: [EMAIL PROTECTED]
Re: Cisco IOS Vulnerability
The workaround for transit suggests permitting only tcp, udp, icmp, gre, esp, and ah protocols. Is this sufficient to protect the router itself, or do you have to get hard-nosed with specific ACLs (restricting access to all your possible interface addresses)? Jeff
Re: Cisco IOS Vulnerability (going OT)
1) I didn't make this 2) I cna't remmber where i got it from 3) please don't abuse my connection too much tonight There is another thing to play when reloading boxes, above disclaimers 1 and 2 apply. http://www.he.iki.fi/favorites.mpeg Pete
Re: Cisco IOS Vulnerability
On Thu, 17 Jul 2003 01:05:46 CDT, Darrell Kristof [EMAIL PROTECTED] said: If Cisco made THIS big a deal of this to not release info to the public, I wouldn't wait. There must be a reason. I had to push and push to get any info and I think they finally gave up because too many people knew. http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml which says... Customers with contracts should obtain upgraded software free of charge through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on the Cisco worldwide website at http://www.cisco.com/tacpage/sw-center/sw-ios.html.; I may have been a few off, but I counted *139* different trains on that page as being affected. The 12.0S train alone has *13* different rebuilds. And there's *gotta* be at least 3-4 trains that suffer from bad karma and refuse to rebuild unless the Rebuild Wizard comes by and sprinkles Magic Rebuild Dust all over the place, and then there's the special procedure put in place after last year's debacle when the Magic Rebuild Dust got on that llama... ;) In other words - yeah, it's probably important to get this update deployed. But unless somebody has hard evidence to the contrary, I'm betting on it just being an attempt to not let things leak out till they're ready to ship across the board. That's a LOT of trains and rebuilds that all need to be ready at the same time, and Fred Brooks taught us all 30 years ago what happens when you try something like that. :) pgp0.pgp Description: PGP signature
Re: Cisco IOS Vulnerability
On Thu, 17 Jul 2003 [EMAIL PROTECTED] wrote: :should be obtained through the Software Center on the Cisco worldwide website :at http://www.cisco.com/tacpage/sw-center/sw-ios.html I'm getting a 404 not found for that URL, while logged into CCO.
RE: Cisco IOS Vulnerability
It should be: http://www.cisco.com/tacpage/sw-center/sw-ios.shtml The Advisory is being updated. It might even be out there. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Wallingford Sent: Thursday, July 17, 2003 12:18 AM To: [EMAIL PROTECTED] Cc: Darrell Kristof; [EMAIL PROTECTED] Subject: Re: Cisco IOS Vulnerability On Thu, 17 Jul 2003 [EMAIL PROTECTED] wrote: :should be obtained through the Software Center on the Cisco worldwide website :at http://www.cisco.com/tacpage/sw-center/sw-ios.html I'm getting a 404 not found for that URL, while logged into CCO.
Re: Cisco IOS Vulnerability
On Thu, 17 Jul 2003 03:17:32 EDT, Brian Wallingford said: :at http://www.cisco.com/tacpage/sw-center/sw-ios.html I'm getting a 404 not found for that URL, while logged into CCO. Hmm.. you mean Magic Rebuild Dust doesn't work on webpages? ;) But yeah, it's *that* sort of thing that you want to try to iron out before the news gets out - having 139 trains all ready to go at the same time and making sure that TAC doesn't get slashdotted as a result is quite the intricate problem, and the last thing you need is complaints about 404's on webpages that weren't supposed to go live till tomorrow. ;) pgp0.pgp Description: PGP signature
RE: Cisco IOS Vulnerability
On Thu, 17 Jul 2003, Mikael Abrahamsson wrote: IS anyone seeing this exploited in the wild? It'd be good to know if we need to do panic upgrade or can schedule it for our next maintenance window (which is during the weekend). Well, there's this from Wednesday afternoon... - Dear ATT IP Services Customer: - - Please be advised of the following: - - This is a preliminary notification to inform you that ATT IP Services - experienced an impairment that may have affected some customer traffic - on the West Coast. [The above is is a mild understatement...] - Our Network Engineers have resolved the issue and are currently - investigating the root cause. A follow-up email will be sent at - the conclusion of the investigation with more information. [Nothing received yet...] This was rumored to be a backhoe fade but the advisory refers only to IP services and there was nothing in the popular press about any major phone outage, so I have my suspicions. Usually if there's a fiber cut they say so. About this time is when all of the major backbones began flooding the net with their notices of panic upgrades. (This is being typed while watching rows and rows of !!!). -- Jay Hennigan - CCIE #7880 - Network Administration - [EMAIL PROTECTED] WestNet: Connecting you to the planet. 805 884-6323 WB6RDV NetLojix Communications, Inc. - http://www.netlojix.com/
Re: Cisco IOS Vulnerability now in the news
July 17, 2003DoS Flaw in Cisco Router, Switches By Ryan Naraine http://www.atnewyork.com/news/article.php/2236591
Re: Cisco IOS Vulnerability now in the news
At 11:00 AM 7/17/2003, Henry Linneweh wrote: July 17, 2003 DoS Flaw in Cisco Router, Switches By Ryan Naraine http://www.atnewyork.com/news/article.php/2236591http://www.atnewyork.com/news/article.php/2236591 Cisco Admits Flaw in Networking Software By MATTHEW FORDAHL, AP Technology Writer http://story.news.yahoo.com/news?tmpl=storycid=528ncid=528e=5u=/ap/20030717/ap_on_hi_te/cisco_vulnerability
Re: Cisco IOS Vulnerability
[EMAIL PROTECTED] wrote: In other words - yeah, it's probably important to get this update deployed. But unless somebody has hard evidence to the contrary, I'm betting on it just being an attempt to not let things leak out till they're ready to ship across the board. That's a LOT of trains and rebuilds that all need to be ready at the same time, and Fred Brooks taught us all 30 years ago what happens when you try something like that. :) One of the 12.2 lines I have to use shows a post of June, 25. My guess is that they started rebuilding some of the later IOS versions and worked their way back. My 12.0S line didn't post until today. -Jack
Re: Cisco IOS Vulnerability
Sean Donelan wrote: Cisco stated if they receive any reports of the exploit in the wild, they will re-issue the advisory with the updated information. Sendmail root exploit took less than 24 hours to craft. I suspect that this exploit will be found within 48 hours. Enough information was provided to quickly guess where the problem lies with IPv4 processing. -Jack
Re: Cisco IOS Vulnerability
On Thu, 17 Jul 2003, Jack Bates wrote: Sean Donelan wrote: Cisco stated if they receive any reports of the exploit in the wild, they will re-issue the advisory with the updated information. Sendmail root exploit took less than 24 hours to craft. I suspect that this exploit will be found within 48 hours. Enough information was provided to quickly guess where the problem lies with IPv4 processing. Sendmail is open source, IOS is not. Knowing where the problem is and knowing how to exploit it are two entirely different situations. Andy --- Andy Dills Xecunet, Inc. www.xecu.net 301-682-9972 ---
Re: Cisco IOS Vulnerability
On Thursday, Jul 17, 2003, at 15:59 Canada/Eastern, Andy Dills wrote: On Thu, 17 Jul 2003, Jack Bates wrote: Sendmail root exploit took less than 24 hours to craft. I suspect that this exploit will be found within 48 hours. Enough information was provided to quickly guess where the problem lies with IPv4 processing. Sendmail is open source, IOS is not. Knowing where the problem is and knowing how to exploit it are two entirely different situations. If any IOS source code has ever found its way out of cisco since IOS 10.3 (and surely, that must have happened), then it seems reasonable to assume that there are people in the world currently comparing the advisory to the source. Joe
IOS Vulnerability
For full details about the vulnerability see http://www.cisco.com/en/US/products/hw/routers/ps341/products_security_advisory09186a00801a34c2.shtml Scott C. McGrath
RE: Cisco IOS Vulnerability
Cisco has posted information regarding this issue and work arounds. 12.3 based code does not exhibit this problem. Cisco Security Advisory: Cisco IOS Interface Blocked by IPv4 Packet http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml - Darrell -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Timmons Sent: Wednesday, July 16, 2003 9:20 PM To: [EMAIL PROTECTED] Subject: Cisco IOS Vulnerability i have no details regarding the ios vulnerability other than what has already been stated on-list, but the IOS matrix obtained this evening and listed at http://www.0ptical.net/cisco.html shows what versions are affected, and what to upgrade to resolve the mystery issue. not sure why psirt is keeping this under wraps, since most NSPs are publicly scheduling emergency upgrades to fix network problems that arent being detailed to customers, and those same customers can and will be affected by the same problem. thx, JT ___ Join Excite! - http://www.excite.com The most personalized portal on the Web!
Re: Cisco IOS Vulnerability
On Wed, Jul 16, 2003 at 10:11:49PM -0500, Darrell Kristof wrote: Cisco has posted information regarding this issue and work arounds. 12.3 based code does not exhibit this problem. Cisco Security Advisory: Cisco IOS Interface Blocked by IPv4 Packet http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml I'm not sure how many of you have seen cases of a stuck input or output queue on an interface in the past as well, seems like cisco needs a clear queue command. - Jared -- Jared Mauch | pgp key available via finger from [EMAIL PROTECTED] clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Re: Cisco IOS Vulnerability
On Thu, Jul 17, 2003 at 01:02:42AM -0400, Jason Lixfeld wrote: On Wednesday, July 16, 2003, at 11:34 PM, joshua sahala wrote: anyone have the 'scheduled maintenance mp3 lying around? i have a feeling i am going to need it This wouldn't be the My gig port's down, and now it's up again... song would it? :) If not, pass along the right one when you find it, will ya? 1) I didn't make this 2) I cna't remmber where i got it from 3) please don't abuse my connection too much tonight http://puck.nether.net/~jared/gigflapping.mp3 - jared -- Jared Mauch | pgp key available via finger from [EMAIL PROTECTED] clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Re: Cisco IOS Vulnerability
On Thu, 17 Jul 2003, Jared Mauch wrote: On Thu, Jul 17, 2003 at 01:02:42AM -0400, Jason Lixfeld wrote: On Wednesday, July 16, 2003, at 11:34 PM, joshua sahala wrote: anyone have the 'scheduled maintenance mp3 lying around? i have a feeling i am going to need it This wouldn't be the My gig port's down, and now it's up again... song would it? :) If not, pass along the right one when you find it, will ya? 1) I didn't make this 2) I cna't remmber where i got it from 3) please don't abuse my connection too much tonight http://puck.nether.net/~jared/gigflapping.mp3 don't abuse Jared, abuse me: ftp://mirrors.secsup.org/tmp/gigflapping.mp3 it should be completely there in a few minutes.
Re: Cisco IOS Vulnerability
So that was the one... On Thursday, July 17, 2003, at 1:09 AM, Jared Mauch wrote: On Thu, Jul 17, 2003 at 01:02:42AM -0400, Jason Lixfeld wrote: On Wednesday, July 16, 2003, at 11:34 PM, joshua sahala wrote: anyone have the 'scheduled maintenance mp3 lying around? i have a feeling i am going to need it This wouldn't be the My gig port's down, and now it's up again... song would it? :) If not, pass along the right one when you find it, will ya? 1) I didn't make this 2) I cna't remmber where i got it from 3) please don't abuse my connection too much tonight http://puck.nether.net/~jared/gigflapping.mp3 - jared -- Jared Mauch | pgp key available via finger from [EMAIL PROTECTED] clue++; | http://puck.nether.net/~jared/ My statements are only mine.
RE: Cisco IOS Vulnerability
| -Original Message- | From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of | Jared Mauch | Sent: Thursday, July 17, 2003 1:10 AM | To: Jason Lixfeld | Cc: joshua sahala; '[EMAIL PROTECTED]' | Subject: Re: Cisco IOS Vulnerability | | | On Thu, Jul 17, 2003 at 01:02:42AM -0400, Jason Lixfeld wrote: | | | On Wednesday, July 16, 2003, at 11:34 PM, joshua sahala wrote: | | anyone have the 'scheduled maintenance mp3 lying around? i have a | feeling i am going to need it | | This wouldn't be the My gig port's down, and now it's up again... | song would it? :) | | If not, pass along the right one when you find it, will ya? | | 1) I didn't make this | 2) I cna't remmber where i got it from | 3) please don't abuse my connection too much tonight | | http://puck.nether.net/~jared/gigflapping.mp3 That link is returning a 403. Here's a copy on one of my boxes: http://www.ciphin.com/nanog/gigflapping.mp3 Todd -- | | - jared | | -- | Jared Mauch | pgp key available via finger from [EMAIL PROTECTED] | clue++; | http://puck.nether.net/~jared/ My statements are only | mine.
Flapping (was Re: Cisco IOS Vulnerability)
On Thu, 17 Jul 2003, Jason Lixfeld wrote: This wouldn't be the My gig port's down, and now it's up again... song would it? :) Folks may remember when ISPs were responding to the SNMP vulnerability many backbones were rebooting their routers during maintenance windows. At the time, some people monitoring BGP and other things thought the Internet was under attack because a huge portion of the net bounced early in the morning. In reality it was just one backbone during a global router reboot. Don't panic if you see BGP flaps from backbones during the next few weeks.
RE: Cisco IOS Vulnerability
On Wed, 16 Jul 2003, Darrell Kristof wrote: Cisco Security Advisory: Cisco IOS Interface Blocked by IPv4 Packet http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml IS anyone seeing this exploited in the wild? It'd be good to know if we need to do panic upgrade or can schedule it for our next maintenance window (which is during the weekend). -- Mikael Abrahamssonemail: [EMAIL PROTECTED]
Re: Cisco IOS Vulnerability
On Thu, Jul 17, 2003 at 07:48:24AM +0200, Mikael Abrahamsson wrote: On Wed, 16 Jul 2003, Darrell Kristof wrote: Cisco Security Advisory: Cisco IOS Interface Blocked by IPv4 Packet http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml IS anyone seeing this exploited in the wild? It'd be good to know if we need to do panic upgrade or can schedule it for our next maintenance window (which is during the weekend). I've been keeping my ear close to the ground. A number of people have been attempting to find the packet to better place ACLs in the internet community, but i've also heard of people seeing more series of unusual packets on their network in the past few days as well. Nobody has found it yet that i'm aware of and Cisco found this in internal testing so I expect you will be safe for a period of time sufficent to do weekend upgrades. - jared -- Jared Mauch | pgp key available via finger from [EMAIL PROTECTED] clue++; | http://puck.nether.net/~jared/ My statements are only mine.