BugTraq
Cisco CSS 11000 Series DoS Aug 07 2003 12:39PM
S21SEC (vul-serv s21seccom s21sec com) (2 replies)
Re: Cisco CSS 11000 Series DoS Sep 07 2003 10:13PM
Mike Caudill (mcaudill cisco com)
Re: Cisco CSS 11000 Series DoS Aug 08 2003 05:51PM
Mike Caudill (mcaudill cisco com)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is to acknowledge your postings regarding a Denial of Service
vulnerability in the Cisco CSS 11000 platforms located at:

Vulnwatch list:
http://lists.insecure.org/lists/vulnwatch/2003/Jul-Sep/0073.html

BUGTRAQ:
http://www.securityfocus.com/archive/1/332284/2003-08-05/2003-08-11/0

The Cisco PSIRT is investigating the issue further. Once we have verified
details surrounding this problem, we will post a response to both forums
with more information regarding fixed software versions and applicable
workarounds which can be used to mitigate the problem.

Thanks.

- -Mike-

> ###############################################################
> ID: S21SEC-025-en
> Title: Cisco CSS 11000 Series DoS
> Date: 04/07/2003
> Status: Solution available
> Scope: Interruption of service, high CPU load.
> Platforms: All/Chassis CS800.
> Author: ecruz, egarcia, jandre
> Location: http://www.s21sec.com/en/avisos/s21sec-025-en.txt
> Release: External
> ###############################################################
>
> S 2 1 S E C
>
> http://www.s21sec.com
>
> Cisco CSS 11000 Series Denial of service
>
> Description of vulnerability
> ----------------------------
>
> A heavy storm of TCP SYN packets directed to the circuit address of the
> CSS
> can cause DoS on it, high cpu load or even sudden reboots.
>
> The issue is known by cisco as the ONDM Ping failure (CSCdz00787). On the
> CS800 chassis the
> system controller module (SCM) sends ONDM (online diagnostics monitor)
> pings to each SFP card
> in order to see if they are alive, if the SCM doesn't get a response in
> about 30 seconds the
> SCM will reboot the CS800 and there will be no core.
>
> By attacking the circuit IP address of the CSS with SYN packets the
> traffic is sent up to the SCM
> over the internal MADLAN ethernet interface. If this internal interface
> becomes overloaded
> the ONDM ping request and response traffic can be dropped leading this to
> an internal DoS
> since no internal comunications are available.
>
> Any attacker could do this externally with a few sessions of NMAP and a
> cable/ADSL internet
> connection.
>
> Affected Versions and platforms
> -------------------------------
>
> This vulnerability affects the models 11800, 11150 and 11050 with chassis
> CS800.
>
> Solution
> --------
>
> Upgrade to software release WebNS 5.00.110s or above.
> http://www.cisco.com/en/US/products/hw/contnetw/ps789/prod_release_note0
918
> 6a008014ee04.html
>
> AcL's to protect the circuit address are recomended.
>
> Additional information
> ----------------------
>
> These vulnerabilities have been found and researched by:
>
> Eduardo Cruz ecruz (at) s21sec (dot) com [email concealed]
> Emilin Garcia egarcia (at) s21sec (dot) com [email concealed]
> Jordi Andre jandre (at) s21sec (dot) com [email concealed]
>
> You can find the last version of this warning in:
>
> http://www.s21sec.com/en/avisos/s21sec-025-en.txt
>
> And other S21SEC warnings in http://www.s21sec.com/en/avisos/

- --
- ------------------------------------------------------------------------
----
| || || | Mike Caudill | mcaudill (at) cisco (dot) com [email concealed] |
| || || | PSIRT Incident Manager | 919.392.2855 |
| |||| |||| | DSS PGP: 0xEBBD5271 | 919.522.4931 (cell)|
| ..:||||||:..:||||||:.. | RSA PGP: 0xF482F607 ---------------------|
| C i s c o S y s t e m s | http://www.cisco.com/go/psirt |
- ------------------------------------------------------------------------
----

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2

iQA/AwUBPzPjG4pjyUnrvVJxEQJNOwCfR7b6rjXNpcAmbgXue5pk6t6+PDEAoO4n
vZpl/lFWudgREMq98AwDGbFq
=DY/N
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus