|
|
 |
Product Update: Cisco IOS Vulnerability
Date: July 28, 2003
Products Affected: Cisco Routers and Switches
Overview:
There is a widespread problem with Cisco Internetworking Operating System (IOS) in a wide range of Cisco devices that run IOS and accept data packets using Internet Protocol Version 4 (IPv4) which they do by default. These vulnerable products include routers, Catalyst switches, and Aironet wireless devices running Cisco IOS versions 11.x and 12.x. Devices running Internet Protocol Version 6 (IPv6) only are not affected by this vulnerability.
Attack:
The flaw allows attackers to create a Denial of Service (DoS) attack by sending special packets to a vulnerable device. These packets fool the device into thinking it’s full and stops routing traffic until the interface is unblocked. There have been exploits released to the general internet public that will allow malicious internet users to attack networks, blocking Cisco interfaces and therefore disrupting networks world wide.
Solution:
There are a number of work-arounds that include Access Control Lists (ACL) and also IOS upgrades for affected devices.
The ACL work-around, from Cisco’s advisory:
access-list 101 deny 53 any any
access-list 101 deny 55 any any
access-list 101 deny 77 any any
access-list 101 deny 103 any any
!--- insert any other previously
applied ACL entries here
!--- you must permit other protocols through to allow
normal
!--- traffic -- previously defined permit lists will
work
!--- or you may use the permit ip any any shown here
access-list 101 permit ip any any
See the links below for details involving specific devices and ISO versions.
Recommendation:
We suggest upgrading any affected IOS as soon as possible. Please see the following advisories:
Cisco Security Advisory: Cisco IOS Interface Blocked by IPv4 Packets
http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml
CERT® Advisory CA-2003-15 Cisco IOS Interface Blocked by IPv4 Packet
http://www.cert.org/advisories/CA-2003-15.html
cisco-ios-ipv4-dos (12631) Cisco IOS IPv4 packet denial of service
http://xforce.iss.net/xforce/xfdb/12631
The Upgrade Group, Inc. has built a reputation in the marketplace for delivering reputable products at competitive prices. In addition to The Upgrade Group’s direct relationships with the manufacturers that build for Cisco, The Upgrade Group maintains relationships with excess inventory channels to provide guaranteed new and authentic original products. These products include GBICs, WICs, Network Modules and other Memory products for PC and Server applications.
|
|
