FYI
High Vulnerability
Version: 1 8/18/2004@17:10:29 GMT
Initial report
ID#401573:
Cisco Systems IOS Malformed OSPF Packet Denial of Service Vulnerability: Remote exploitation of a denial of service vulnerability in the Open Shortest Path First (OSPF) TCP/IP Internet routing protocol handling functionality within multiple versions of Cisco Systems Inc.'s Internetwork Operating System (IOS) allows attackers to potentially crash related Cisco device.
OSPF is an Interior Gateway Protocol (IGP), meaning it distributes routing data between routers belonging to a single Autonomous System (AS). Each OSPF router maintains an identical database describing the Autonomous System's topology. From this database, a routing table is calculated by constructing a shortest-path tree.
While details of the vulnerability are limited as of this report, what is known is that various parameters must be known for successful exploitation, namely the OSPF area number and netmask, hello, and dead timers configured on the targeted device.
Sources: Cisco Systems Inc. (Security Advisory # 61365, Aug. 18, 2004
Internet Engineering Task Force (IETF) (Request for Comments (RFC)# 2328, April 01, 1998
Analysis: (iDEFENSE US) Exploitation will reset any targeted Cisco device upon which faulty IOS software is installed. Repeated exploitation could extend the attack indefinitely. It would take several minutes for the device to be restored to normal functionality. This vulnerability is particularly dangerous, since OSPF processes unicast and multicast packets, making remote exploitation a possibility. Further, it is also possible to target multiple devices on the local segment simultaneously. One mitigating factor, however, is that OSPF is not enabled by default.
Detection: Cisco IOS release trains based on 12.0S, 12.2 and 12.3 are affected. Releases based on 12.0, 12.1 mainlines, all Cisco IOS images earlier than 12.0, and any products running any IOS version that does not have OSPF configured or enabled, are unaffected.
A comprehensive listing of all susceptible IOS versions follows:
• 12.0(22)S and later
• 12.0(23)SX and later
• 12.0(22)SY and later
• 12.0(23)SZ and later
• 12.2(15)B and later
• 12.2(15)BC and later
• 12.2(15)BX and later
• 12.2(15)BZ and later
• 12.2(15)CX and later
• 12.2(18)EW and later
• 12.2(15)MC1 and later
• 12.2(18)S and later
• 12.2(18)SE and later
• 12.2(18)SV and later
• 12.2(18)SW and later
• 12.2(14)SZ and later
• 12.2(15)T and later
• 12.2(11)YU and later
• 12.2(11)YV and later
• 12.2(13)ZD and later
• 12.2(13)ZE and later
• 12.2(13)ZF and later
• 12.2(13)ZG and later
• 12.2(13)ZH and later
• 12.2(15)ZJ and later
• 12.2(15)ZK and later
• 12.2(15)ZL and later
• 12.2(15)ZN and later
• 12.2(15)ZO and later
• All 12.3 releases
• All 12.3.B releases
• All 12.3.BW releases
• All 12.3.T releases
• All 12.3.XA releases
• All 12.3.XB releases
• All 12.3.XC releases
• All 12.3.XE releases
A Cisco device running an OSPF process has a line in the configuration defining the process number, which can be seen by issuing the command show running-config .
To determine the software running on a Cisco product, log onto the device and issue the show version command to display the system banner. IOS software will identify itself as "Internetwork Operating System Software" or simply "IOS." On the next line of output, the image name will be displayed between parentheses, followed by "Version" and the IOS release name. Other Cisco devices will not have the show version command, or will give different output.
Recovery: Restarting the affected device should restore normal functionality.
Exploit: iDEFENSE is unaware of any publicly available exploit code(s) for this issue.
Workaround: Cisco suggests using OSPF authentication. OSPF packets without a valid key will not be processed. MD5 authentication is highly recommended, due to inherent weaknesses in plaintext authentication. With plaintext authentication, the authentication key will be sent unencrypted over the network, which can allow an attacker on a local network segment to capture the key by sniffing packets. Further details are available at the link shown.
Cisco OSPF Authentication Documentation:
Vendor Fix: Cisco has released updated IOS versions that fix this problem. Customers with contracts should obtain upgraded software via Cisco's Software Center, which is available at Customers without contracts should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows:
• +1 800 553 2447 (toll free from within North America)
• +1 408 526 7209 (toll call from anywhere in the world)
• e-mail: tac@cisco.com
IOS Patch Listing (Security Advisory # 61365):
Vulnerability Types: Denial of Service
Prevalence and Popularity: Almost always
Evidence of Active Exploitation or Probing: No known exploitation or spike in probing
Ease of Exploitation: Remotely Exploitable
Existence and Availability of Exploit Code: iDEFENSE is unaware of publicly available exploit code for this issue.
Vulnerability Consequence: Availability
SF18C
CCNP, MCSE, A+, N+ & HPCC
Tis better to die on your feet than live on your knees!
High Vulnerability
Version: 1 8/18/2004@17:10:29 GMT
Initial report
ID#401573:
Cisco Systems IOS Malformed OSPF Packet Denial of Service Vulnerability: Remote exploitation of a denial of service vulnerability in the Open Shortest Path First (OSPF) TCP/IP Internet routing protocol handling functionality within multiple versions of Cisco Systems Inc.'s Internetwork Operating System (IOS) allows attackers to potentially crash related Cisco device.
OSPF is an Interior Gateway Protocol (IGP), meaning it distributes routing data between routers belonging to a single Autonomous System (AS). Each OSPF router maintains an identical database describing the Autonomous System's topology. From this database, a routing table is calculated by constructing a shortest-path tree.
While details of the vulnerability are limited as of this report, what is known is that various parameters must be known for successful exploitation, namely the OSPF area number and netmask, hello, and dead timers configured on the targeted device.
Sources: Cisco Systems Inc. (Security Advisory # 61365, Aug. 18, 2004
Internet Engineering Task Force (IETF) (Request for Comments (RFC)# 2328, April 01, 1998
Analysis: (iDEFENSE US) Exploitation will reset any targeted Cisco device upon which faulty IOS software is installed. Repeated exploitation could extend the attack indefinitely. It would take several minutes for the device to be restored to normal functionality. This vulnerability is particularly dangerous, since OSPF processes unicast and multicast packets, making remote exploitation a possibility. Further, it is also possible to target multiple devices on the local segment simultaneously. One mitigating factor, however, is that OSPF is not enabled by default.
Detection: Cisco IOS release trains based on 12.0S, 12.2 and 12.3 are affected. Releases based on 12.0, 12.1 mainlines, all Cisco IOS images earlier than 12.0, and any products running any IOS version that does not have OSPF configured or enabled, are unaffected.
A comprehensive listing of all susceptible IOS versions follows:
• 12.0(22)S and later
• 12.0(23)SX and later
• 12.0(22)SY and later
• 12.0(23)SZ and later
• 12.2(15)B and later
• 12.2(15)BC and later
• 12.2(15)BX and later
• 12.2(15)BZ and later
• 12.2(15)CX and later
• 12.2(18)EW and later
• 12.2(15)MC1 and later
• 12.2(18)S and later
• 12.2(18)SE and later
• 12.2(18)SV and later
• 12.2(18)SW and later
• 12.2(14)SZ and later
• 12.2(15)T and later
• 12.2(11)YU and later
• 12.2(11)YV and later
• 12.2(13)ZD and later
• 12.2(13)ZE and later
• 12.2(13)ZF and later
• 12.2(13)ZG and later
• 12.2(13)ZH and later
• 12.2(15)ZJ and later
• 12.2(15)ZK and later
• 12.2(15)ZL and later
• 12.2(15)ZN and later
• 12.2(15)ZO and later
• All 12.3 releases
• All 12.3.B releases
• All 12.3.BW releases
• All 12.3.T releases
• All 12.3.XA releases
• All 12.3.XB releases
• All 12.3.XC releases
• All 12.3.XE releases
A Cisco device running an OSPF process has a line in the configuration defining the process number, which can be seen by issuing the command show running-config .
To determine the software running on a Cisco product, log onto the device and issue the show version command to display the system banner. IOS software will identify itself as "Internetwork Operating System Software" or simply "IOS." On the next line of output, the image name will be displayed between parentheses, followed by "Version" and the IOS release name. Other Cisco devices will not have the show version command, or will give different output.
Recovery: Restarting the affected device should restore normal functionality.
Exploit: iDEFENSE is unaware of any publicly available exploit code(s) for this issue.
Workaround: Cisco suggests using OSPF authentication. OSPF packets without a valid key will not be processed. MD5 authentication is highly recommended, due to inherent weaknesses in plaintext authentication. With plaintext authentication, the authentication key will be sent unencrypted over the network, which can allow an attacker on a local network segment to capture the key by sniffing packets. Further details are available at the link shown.
Cisco OSPF Authentication Documentation:
Vendor Fix: Cisco has released updated IOS versions that fix this problem. Customers with contracts should obtain upgraded software via Cisco's Software Center, which is available at Customers without contracts should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows:
• +1 800 553 2447 (toll free from within North America)
• +1 408 526 7209 (toll call from anywhere in the world)
• e-mail: tac@cisco.com
IOS Patch Listing (Security Advisory # 61365):
Vulnerability Types: Denial of Service
Prevalence and Popularity: Almost always
Evidence of Active Exploitation or Probing: No known exploitation or spike in probing
Ease of Exploitation: Remotely Exploitable
Existence and Availability of Exploit Code: iDEFENSE is unaware of publicly available exploit code for this issue.
Vulnerability Consequence: Availability
SF18C
CCNP, MCSE, A+, N+ & HPCC
Tis better to die on your feet than live on your knees!