Cisco IOS Vulnerability

John_Timmons · July 17, 2003, 2:20am

i have no details regarding the ios vulnerability other than what has already been stated on-list, but the IOS matrix obtained this evening and listed at http://www.0ptical.net/cisco.html shows what versions are affected, and what to upgrade to resolve the mystery issue. not sure why psirt is keeping this under wraps, since most NSPs are publicly scheduling "emergency upgrades" to fix "network problems" that arent being detailed to customers, and those same customers can and will be affected by the same problem.

thx,
JT

Darrell_Kristof · July 17, 2003, 3:11am

Cisco has posted information regarding this issue and work arounds.
12.3 based code does not exhibit this problem.

Cisco Security Advisory: Cisco IOS Interface Blocked by IPv4 Packet
http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml

- Darrell

Jared_Mauch · July 17, 2003, 3:18am

I'm not sure how many of you have seen cases of a stuck
input or output queue on an interface in the past as well,
seems like cisco needs a "clear queue" command.

- Jared

Joshua_Sahala2 · July 17, 2003, 3:34am

there is one - 'reload'

the disturbing part of this advisory is that i can do something very
similar to one of my routers....and heretofore cisco was unable to
tell me what was wrong

anyone have the 'scheduled maintenance" mp3 lying around? i have a
feeling i am going to need it

/joshua

Jason_Lixfeld1 · July 17, 2003, 5:02am

This wouldn't be the "My gig port's down, and now it's up again..." song would it?

If not, pass along the right one when you find it, will ya?

Jared_Mauch · July 17, 2003, 5:09am

1) I didn't make this
2) I cna't remmber where i got it from
3) please don't abuse my connection too much tonight

http://puck.nether.net/~jared/gigflapping.mp3

- jared

Christopher_L_Morrow · July 17, 2003, 5:12am

don't abuse Jared, abuse me:

ftp://mirrors.secsup.org/tmp/gigflapping.mp3

it should be completely there in a few minutes.

Jason_Lixfeld1 · July 17, 2003, 5:14am

So that was the one...

Todd_Mitchell · July 17, 2003, 5:14am

From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf

Of

Jared Mauch
Sent: Thursday, July 17, 2003 1:10 AM
To: Jason Lixfeld
Cc: joshua sahala; 'nanog@merit.edu'
Subject: Re: Cisco IOS Vulnerability

>
>
>
> >anyone have the 'scheduled maintenance" mp3 lying around? i have a
> >feeling i am going to need it
>
> This wouldn't be the "My gig port's down, and now it's up again..."
> song would it?
>
> If not, pass along the right one when you find it, will ya?

  1) I didn't make this
  2) I cna't remmber where i got it from
  3) please don't abuse my connection too much tonight

  http://puck.nether.net/~jared/gigflapping.mp3

That link is returning a 403. Here's a copy on one of my boxes:

http://www.ciphin.com/nanog/gigflapping.mp3

Todd

Sean_Donelan · July 17, 2003, 5:39am

Folks may remember when ISPs were responding to the SNMP vulnerability
many backbones were rebooting their routers during maintenance windows.

At the time, some people monitoring BGP and other things thought the
Internet was under attack because a huge portion of the net bounced
early in the morning. In reality it was just one backbone during a
global router reboot.

Don't panic if you see BGP flaps from backbones during the next few
weeks.

Mikael_Abrahamsson · July 17, 2003, 5:48am

IS anyone seeing this exploited in the wild? It'd be good to know if we
need to do panic upgrade or can schedule it for our next maintenance
window (which is during the weekend).

Jared_Mauch · July 17, 2003, 5:56am

I've been keeping my ear close to the ground. A number
of people have been attempting to find the packet to better place
ACLs in the internet community, but i've also heard of people seeing
more series of "unusual" packets on their network in the past
few days as well.

Nobody has found it yet that i'm aware of and Cisco found
this in internal testing so I expect you will be safe for a
period of time sufficent to do weekend upgrades.

- jared

Sean_Donelan · July 17, 2003, 6:01am

According to the cisco advisory, there are no reports of public knowledge
of the exploit nor has anyone been detected using the exploit.

Since Cisco is keeping the packet information confidential, you can't
program an IDS to detect it (i.e. no signature is available). But if your
router does hang up, the cisco advisory includes information about
checking if you've been hit by this bug; versus the numerous other bugs

Cisco stated if they receive any reports of the exploit in the wild,
they will re-issue the advisory with the updated information.

Ryan_Tucker · July 17, 2003, 6:03am

Mirrored at http://www.netacc.net/~rtucker/gigflapping.mp3 ... same disclaimers as Jared gives, but I have more bandwidth. -rt (what do you mean I need a new chassis?)

Darrell_Kristof · July 17, 2003, 6:05am

If Cisco made THIS big a deal of this to not release info to the public,
I wouldn't wait. There must be a reason. I had to push and push to get
any info and I think they finally gave up because too many people knew.
If you notice

http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml

For Public Release 2003 July 17 at 0:00 UTC (GMT)

But at the bottom is says:
Distribution
This notice will be posted on the Cisco worldwide website at
http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml at
21:00 GMT on July 17th, 2003.

Hmmm... I think that means 4PM CT TOMORROW! From what I understand they
didn't want this to be public until tomorrow afternoon.

- D

Jeff_Kell · July 17, 2003, 6:13am

The workaround for transit suggests permitting only tcp, udp, icmp, gre, esp, and ah protocols. Is this sufficient to protect the router itself, or do you have to get hard-nosed with specific ACLs (restricting access to all your possible interface addresses)?

Jeff

Petri_Helenius · July 17, 2003, 6:28am

1) I didn't make this
2) I cna't remmber where i got it from
3) please don't abuse my connection too much tonight

There is another thing to play when reloading boxes, above
disclaimers 1 and 2 apply.

http://www.he.iki.fi/favorites.mpeg

Pete

Valdis_Kletnieks · July 17, 2003, 7:07am

which says...

"Customers with contracts should obtain upgraded software free of charge through
their regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on the Cisco worldwide website
at http://www.cisco.com/tacpage/sw-center/sw-ios.html."

I may have been a few off, but I counted *139* different trains on that page as
being affected. The 12.0S train alone has *13* different rebuilds.

And there's *gotta* be at least 3-4 trains that suffer from bad karma and refuse
to rebuild unless the Rebuild Wizard comes by and sprinkles Magic Rebuild Dust
all over the place, and then there's the special procedure put in place after last
year's debacle when the Magic Rebuild Dust got on that llama...

In other words - yeah, it's probably important to get this update deployed. But
unless somebody has hard evidence to the contrary, I'm betting on it just being
an attempt to not let things leak out till they're ready to ship across the
board. That's a LOT of trains and rebuilds that all need to be ready at the
same time, and Fred Brooks taught us all 30 years ago what happens when you try
something like that.

Brian_Wallingford · July 17, 2003, 7:17am

:should be obtained through the Software Center on the Cisco worldwide website
:at http://www.cisco.com/tacpage/sw-center/sw-ios.html

I'm getting a 404 "not found" for that URL, while logged into CCO.

Barry_Greene_bgreene · July 17, 2003, 7:39am

It should be:

http://www.cisco.com/tacpage/sw-center/sw-ios.shtml

The Advisory is being updated. It might even be out there.