Re: Cisco Vulnerability Testing Results
You don't know quite how rife that rumour is over here at the moment. Peter, How so unlike you to take an anti-establishment view! Neil
Re: Cisco Vulnerability Testing Results
Neil J. McRae wrote: How so unlike you to take an anti-establishment view! Not anti-establishment. I am far from an anarchist. I am anti-idiot. Peter
RE: Cisco Vulnerability Testing Results
Anti-idiot is not political. It's religion. At least for me it is. Bob German -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Galbavy Sent: Tuesday, July 22, 2003 12:34 PM To: Neil J. McRae Cc: Richard Irving; [EMAIL PROTECTED] Subject: Re: Cisco Vulnerability Testing Results Neil J. McRae wrote: How so unlike you to take an anti-establishment view! Not anti-establishment. I am far from an anarchist. I am anti-idiot. Peter
Re: Cisco Vulnerability Testing Results
Jason Frisvold writes: Just for fun we hit an old AGS+ router with 10.2(4) code on it.. Apparently older code is vulnerable too.. You are correct. The vulnerability was introduced back in 1994 in a patch that was integrated into 10.0(6.1) and 10.2(1.6). The vuln is present in any release that follows in those same trains, such as 10.2(4) as you confirmed above, as well as in all of 10.3. All other prior versions of IOS do not contain the software that introduced the vulnerability and are probably not vulnerable, but I will not be able to confirm that by testing it. So.. everyone running AGS+'s in the core, beware.. *grin* The workarounds should apply, but not much else. ;-) Jim == Jim Duncan, Critical Infrastructure Assurance Group, Cisco Systems, Inc. [EMAIL PROTECTED], +1 919 392 6209, http://www.cisco.com/go/ciag/. PGP: DSS 4096/1024 E09E EA55 DA28 1399 75EB D6A2 7092 9A9C 6DC3 1821
Re: Cisco Vulnerability Testing Results
All other prior versions of IOS do not contain the software that introduced the vulnerability and are probably not vulnerable, but I will not be able to confirm that by testing it. So.. everyone running AGS+'s in the core, beware.. *grin* The workarounds should apply, but not much else. ;-) We are C. We never have a fix. We have a patch... after patch after patch... after patch... after patch... and at some point there is no more patches, but there is no fix either I have this brilliantly simple idea that somehow everyone forgets, while they tout all the new advanced stuff. Do not introduce yet another name for filtering that works only in some cases. Fix the filtering code so we can filter *anything* at *any packet rate* on *any interface* that pass *any traffic* without bringing the router to its knees. Alex
Re: Cisco Vulnerability Testing Results
[EMAIL PROTECTED] wrote: I have this brilliantly simple idea that somehow everyone forgets, while they tout all the new advanced stuff. Do not introduce yet another name for filtering that works only in some cases. Fix the filtering code so we can filter *anything* at *any packet rate* on *any interface* that pass *any traffic* without bringing the router to its knees. Already done, however, the only prototype source code is still in test mode, in the same facility as the WMD, in Iraq David Kelly has been dispatched by Tony Blair, It -=should=- be here any minute now... :\ Alex
Re: Cisco Vulnerability Testing Results
Richard Irving wrote: David Kelly has been dispatched by Tony Blair, s/disp/desp/ You don't know quite how rife that rumour is over here at the moment. Petre
Re: Cisco Vulnerability Testing Results
Just a quick credit email.. :) I wanna make sure credit is given to the 2 guys who helped with this testing.. Keith Pachulski and Chrus Kruslicky .. both from PTD.. :) On Fri, 2003-07-18 at 11:34, Jason Frisvold wrote: Ok, update to my testing : On Fri, 2003-07-18 at 10:48, Jason Frisvold wrote: Hi all, First post.. I hope this is ok ... We tested the Cisco vulnerability and I wanted to share our results with you ... SNIP Testing scenario is this : Linux Machine (10.0.0.2/24) Cisco 2514 Ethernet0 (10.0.0.1/24) is in from the attacker Ethernet1 (192.168.0.1/24) is output to the 2501 Cisco 2501 Ethernet0 (192.168.0.2/24) is in from the 2514 SNIP Firstly, HPing (www.hping.org) can craft the packets required for this attack very simply... I won't post the exact command string, but it's not that hard to figure out... And with HPing, you can easily take down an interface in under a second. Now, on to ACL testing... 3 ACL tests just to make sure we had everything correct ... We first tried the any any ACL that Cisco recommends : access-list 101 deny 53 any any access-list 101 deny 55 any any access-list 101 deny 77 any any access-list 101 deny 103 any any access-list 101 permit ip any any This produced expected results. When placed on the interface, it prevented the router from being attacked. Next, we tried an ACL with just the interface IP in it : access-list 101 deny 53 any host 10.0.0.1 access-list 101 deny 55 any host 10.0.0.1 access-list 101 deny 77 any host 10.0.0.1 access-list 101 deny 103 any host 10.0.0.1 access-list 101 permit ip any any We applied this to the Ethernet0 interface on the 2514. Attacks to that IP were prevented as expected. Attacks through to the 2501 were not blocked, again as expected. And finally, attacks to the ethernet1 interface on the 2514, which passes through the ethernet0 interface, still caused the ethernet0 interface to be attacked. And the last test was an ACL containing all of the IP's on the router: access-list 101 deny 53 any host 10.0.0.1 access-list 101 deny 55 any host 10.0.0.1 access-list 101 deny 77 any host 10.0.0.1 access-list 101 deny 103 any host 10.0.0.1 access-list 101 deny 53 any host 192.168.0.1 access-list 101 deny 55 any host 192.168.0.1 access-list 101 deny 77 any host 192.168.0.1 access-list 101 deny 103 any host 192.168.0.1 access-list 101 permit ip any any This blocked all attacks on the 2514 while still allowing attacks through to the 2501.. This is as expected. Also, another note. Loopback interfaces, while not vulnerable themselves, make it much easier to completely take out routers.. (We're assuming that the device is still vulnerable) If the attacker has the loopback of the router, they can run an attack at that interface. Every input interface will be attacked in succession. As each interface goes down and the traffic re-routed, the next interface will fall under attack. Just be sure to add the loopback IP as part of the ACL ... :) -- --- Jason H. Frisvold Backbone Engineering Supervisor Penteledata Engineering [EMAIL PROTECTED] RedHat Engineer - RHCE # 807302349405893 Cisco Certified - CCNA # CSCO10151622 MySQL Core Certified - ID# 205982910 --- Imagination is more important than knowledge. Knowledge is limited. Imagination encircles the world. -- Albert Einstein [1879-1955] signature.asc Description: This is a digitally signed message part
