Cisco can confirm the statement made by FX from Phenoelit in his message
"Cisco IOS OSPF exploit" posted on 2003-Feb-20. The OSPF implementation in
certain Cisco IOS versions is vulnerable to a denial of service if it
receives a flood of neighbor announcements in which more than 255 hosts
try to establish a neighbor relationship per interface.
One workaround for this issue is to configure OSPF MD5 authentication.
This may be done per interface or per area.
Another possible workaround is to apply inbound access lists to explicitly
allow certain OSPF neighbors only:
Cisco IOS Versions 11.1 - 12.0 are subject to this vulnerability.
This bug has been resolved. The following versions of Cisco IOS software
are the first fixed releases, meaning that any subsequent releases also
contain the fix:
12.0(19)S
12.0(19)ST
12.1(1)
12.1(1)DB
12.1(1)DC
12.1(1)T
We would like to thank FX for his continued cooperation with us in the
spirit of responsible disclosure and working to increase awareness of
security issues.
For information on working with the Cisco PSIRT regarding potential security
issues, please see our contact information at
http://www.cisco.com/warp/public/707/sec_incident_response.shtml#Problem
s
Thank you,
- -Mike-
> Hi there,
>
> attached you may find the exploit for the Cisco IOS bug ID CSCdp58462. The bug
> is long fixed, so if you still run OSPF on a old version of IOS, now is a good
> time to give your routers some attention.
>
> FX
>
> --
> FX <fx (at) phenoelit (dot) de [email concealed]>
> Phenoelit (http://www.phenoelit.de)
> 672D 64B2 DE42 FCF7 8A5E E43B C0C1 A242 6D63 B564
>
> /* Cisco IOS IO memory exploit prove of concept
> * by FX of Phenoelit <fx (at) phenoelit (dot) de [email concealed]>
> * http://www.phenoelit.de
> *
> * For:
> * 19C3 Chaos Communication Congress 2002 / Berlin
> * BlackHat Briefings Seattle 2003
> *
> * Cisco IOS 11.2.x to 12.0.x OSPF neighbor overflow
> * Cisco Bug CSCdp58462 causes more than 255 OSPF neighbors to overflow a IO memory
> * structure (small buffer header). The attached program is a PoC to exploit
> * this vulnerability by executing "shell code" on the router and write the
> * attached configuration into NVRAM to basicaly own the router.
> *
- --
- ------------------------------------------------------------------------
----
| || || | Mike Caudill | mcaudill (at) cisco (dot) com [email concealed] |
| || || | PSIRT Incident Manager | 919.392.2855 |
| |||| |||| | DSS PGP: 0xEBBD5271 | 919.522.4931 (cell)|
| ..:||||||:..:||||||:.. | RSA PGP: 0xF482F607 ---------------------|
| C i s c o S y s t e m s | http://www.cisco.com/go/psirt |
- ------------------------------------------------------------------------
----
Hash: SHA1
Cisco can confirm the statement made by FX from Phenoelit in his message
"Cisco IOS OSPF exploit" posted on 2003-Feb-20. The OSPF implementation in
certain Cisco IOS versions is vulnerable to a denial of service if it
receives a flood of neighbor announcements in which more than 255 hosts
try to establish a neighbor relationship per interface.
One workaround for this issue is to configure OSPF MD5 authentication.
This may be done per interface or per area.
Another possible workaround is to apply inbound access lists to explicitly
allow certain OSPF neighbors only:
access-list 100 permit ospf host a.b.c.x host 224.0.0.5
access-list 100 permit ospf host a.b.c.x host interface_ip
access-list 100 permit ospf host a.b.c.y host 224.0.0.5
access-list 100 permit ospf host a.b.c.y host interface_ip
access-list 100 permit ospf host a.b.c.z host 224.0.0.5
access-list 100 permit ospf host a.b.c.z host interface_ip
access-list 100 permit ospf any host 224.0.0.6
access-list 100 deny ospf any any
access-list 100 permit ip any any
Cisco IOS Versions 11.1 - 12.0 are subject to this vulnerability.
This bug has been resolved. The following versions of Cisco IOS software
are the first fixed releases, meaning that any subsequent releases also
contain the fix:
12.0(19)S
12.0(19)ST
12.1(1)
12.1(1)DB
12.1(1)DC
12.1(1)T
We would like to thank FX for his continued cooperation with us in the
spirit of responsible disclosure and working to increase awareness of
security issues.
For information on working with the Cisco PSIRT regarding potential security
issues, please see our contact information at
http://www.cisco.com/warp/public/707/sec_incident_response.shtml#Problem
s
Thank you,
- -Mike-
> Hi there,
>
> attached you may find the exploit for the Cisco IOS bug ID CSCdp58462. The bug
> is long fixed, so if you still run OSPF on a old version of IOS, now is a good
> time to give your routers some attention.
>
> FX
>
> --
> FX <fx (at) phenoelit (dot) de [email concealed]>
> Phenoelit (http://www.phenoelit.de)
> 672D 64B2 DE42 FCF7 8A5E E43B C0C1 A242 6D63 B564
>
> /* Cisco IOS IO memory exploit prove of concept
> * by FX of Phenoelit <fx (at) phenoelit (dot) de [email concealed]>
> * http://www.phenoelit.de
> *
> * For:
> * 19C3 Chaos Communication Congress 2002 / Berlin
> * BlackHat Briefings Seattle 2003
> *
> * Cisco IOS 11.2.x to 12.0.x OSPF neighbor overflow
> * Cisco Bug CSCdp58462 causes more than 255 OSPF neighbors to overflow a IO memory
> * structure (small buffer header). The attached program is a PoC to exploit
> * this vulnerability by executing "shell code" on the router and write the
> * attached configuration into NVRAM to basicaly own the router.
> *
- --
- ------------------------------------------------------------------------
----
| || || | Mike Caudill | mcaudill (at) cisco (dot) com [email concealed] |
| || || | PSIRT Incident Manager | 919.392.2855 |
| |||| |||| | DSS PGP: 0xEBBD5271 | 919.522.4931 (cell)|
| ..:||||||:..:||||||:.. | RSA PGP: 0xF482F607 ---------------------|
| C i s c o S y s t e m s | http://www.cisco.com/go/psirt |
- ------------------------------------------------------------------------
----
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2
iQA/AwUBPlaoLYpjyUnrvVJxEQLcZgCgxAkatIdM5EjV4uMcDgJqd/aFx9EAoPbm
Sw0/fZvhc3uuv0NnuBwfSWnw
=McnI
-----END PGP SIGNATURE-----
[ reply ]