Cisco IOS Bug? [Archive] - HHO -Web Hosting Forums

allan

07-16-03, 01:16 PM

There has apparently been a flood of emergency maintenance announcements across all major ISP backbones recently. And there are rumors floating around NANOG that there is a new IOS that has not been announced to the general public...

Anyone heard anything?

Here's the rumor:

http://www.merit.edu/mail.archives/nanog/msg11211.html

allan

07-16-03, 04:07 PM

Additional information is apparently going to be released soon, in the meantime people are recommending that you drop packets destined for an IP address on the router -- unless of course those packets come from a trusted source. Which of course people should be doing anyway.

allan

07-16-03, 07:10 PM

It's time to upgrade your routers:

http://www.cisco.com/en/US/products/hw/routers/ps341/products_security_advisory09186a00801a34c2.shtml

Apparently, if an attacker sends a series of packets directly to the IOS interface it can bring down the router (make it stop routing).

Version information is here:

http://www.0ptical.net/cisco.html

It doesn't look like the versions are available for download yet, so you will probably have to go through the TAC To get them.

firm1

07-18-03, 08:12 AM

The attack has begun:mad:

http://biz.yahoo.com/djus/030718/1136000519_2.html

allan

07-18-03, 08:55 AM

The following access lists should protect your routers (as recommended by Cisco):

access-list 101 deny 53 any any
access-list 101 deny 55 any any
access-list 101 deny 77 any any
access-list 101 deny 103 any any
access-list 101 permit ip any any

allan

07-18-03, 08:56 AM

And if you want to test, you can use hping to form the packets mentioned in the latest iteration of the Cisco warning:

http://www.hping.org/

allan

07-18-03, 08:59 AM

Or you can download a program that does the exploit:

http://lists.netsys.com/pipermail/full-disclosure/2003-July/011421.html

XabuJr

07-21-03, 09:13 PM

I work for an ISP and I have upper level engineers saying that smaller Cisco 1700 routers are not affected by this bug. I disagree w/ that, since it says ALL devices. Problem is, they don't seem to want to listen or they just don't care. Anyone have any cold hard points I could use to get their attention? Or a compiled tool to actually show them by locking up a few of the test routers?

thanks!

allan

07-21-03, 09:18 PM

The program in the link above is compiled, all you have to do is decompress it on a UNIX box and fire away...

XabuJr

07-21-03, 09:25 PM

I'm still a rookie w/ that, so would I just copy and paste the above into a text file and put it in Linux even? I have a red hat box here at home, but I'm still learning linux.. Unfortunatly I was groomed as a Windoze person.. :(