Cisco Vulnerability Testing Results

Mailman List Mirror (Read Only)
1

Hi all,

  First post.. I hope this is ok ...

  We tested the Cisco vulnerability and I wanted to share our results
with you ...

  The attack code we used is the same code that was posted to the Full
Disclosure list. Compiled on a Redhat Linux 6.2 machine.

Testing scenario is this :

Linux Machine (10.0.0.2/24)
Cisco 2514
   Ethernet0 (10.0.0.1/24) is in from the attacker
   Ethernet1 (192.168.0.1/24) is output to the 2501
Cisco 2501
   Ethernet0 (192.168.0.2/24) is in from the 2514

First attack was to the 2514, ran the program as thus :

./sc 192.168.0.1 1

This produced unexpected results. Cisco indicated that the vulnerability
was on the interface specified in the packets. However, after running
this, it was actually the INPUT interface that the input queue increased
on. In our test, this was Ethernet0, not Ethernet1 as expected.

Next attach was to the 2501 :

./sc 192.168.0.2 2

This produced expected results. Input queue did increase on the 2501.

Next we tried a pass-through attack :

./sc 192.168.0.2 0
./sc 192.168.0.2 1

No interfaces on either Cisco were affected. It seems that pass-through
attacks are not possible. The attack *must* terminate on an IP on one of
the router interfaces.

An additional test to both routers using a high TTL value was also run.
No interfaces were affected. This is in-line with Cisco's posting.

Code was then upgraded on the 2514 to 12.0.27 (non-vulnerable) .. Tests
were run again. This time, the 2514 was not affected by any tests. The
2501 was still vulnerable.

I will be testing ACL's in a moment, but I wanted to get these results
out and see if they were on-par with any testing anyone else has done.

2

Ok, update to my testing :

Hi all,

  First post.. I hope this is ok ...

  We tested the Cisco vulnerability and I wanted to share our results
with you ...

<SNIP>

Testing scenario is this :

Linux Machine (10.0.0.2/24)
Cisco 2514
   Ethernet0 (10.0.0.1/24) is in from the attacker
   Ethernet1 (192.168.0.1/24) is output to the 2501
Cisco 2501
   Ethernet0 (192.168.0.2/24) is in from the 2514

<SNIP>

Firstly, HPing (www.hping.org) can craft the packets required for this
attack very simply... I won't post the exact command string, but it's
not that hard to figure out... And with HPing, you can easily take down
an interface in under a second.

Now, on to ACL testing...

3 ACL tests just to make sure we had everything correct ... We first
tried the any any ACL that Cisco recommends :

access-list 101 deny 53 any any
access-list 101 deny 55 any any
access-list 101 deny 77 any any
access-list 101 deny 103 any any
access-list 101 permit ip any any

This produced expected results. When placed on the interface, it
prevented the router from being attacked.

Next, we tried an ACL with just the interface IP in it :

access-list 101 deny 53 any host 10.0.0.1
access-list 101 deny 55 any host 10.0.0.1
access-list 101 deny 77 any host 10.0.0.1
access-list 101 deny 103 any host 10.0.0.1
access-list 101 permit ip any any

We applied this to the Ethernet0 interface on the 2514. Attacks to that
IP were prevented as expected.

Attacks through to the 2501 were not blocked, again as expected.

And finally, attacks to the ethernet1 interface on the 2514, which
passes through the ethernet0 interface, still caused the ethernet0
interface to be attacked.

And the last test was an ACL containing all of the IP's on the router:

access-list 101 deny 53 any host 10.0.0.1
access-list 101 deny 55 any host 10.0.0.1
access-list 101 deny 77 any host 10.0.0.1
access-list 101 deny 103 any host 10.0.0.1
access-list 101 deny 53 any host 192.168.0.1
access-list 101 deny 55 any host 192.168.0.1
access-list 101 deny 77 any host 192.168.0.1
access-list 101 deny 103 any host 192.168.0.1
access-list 101 permit ip any any

This blocked all attacks on the 2514 while still allowing attacks
through to the 2501.. This is as expected.

Also, another note. Loopback interfaces, while not vulnerable
themselves, make it much easier to completely take out routers.. (We're
assuming that the device is still vulnerable) If the attacker has the
loopback of the router, they can run an attack at that interface. Every
input interface will be attacked in succession. As each interface goes
down and the traffic re-routed, the next interface will fall under
attack.

Just be sure to add the loopback IP as part of the ACL ... :slight_smile:

3

Just a quick credit email.. :slight_smile:

I wanna make sure credit is given to the 2 guys who helped with this
testing.. Keith Pachulski and Chrus Kruslicky .. both from PTD..

:slight_smile:

4

Just for fun we hit an old AGS+ router with 10.2(4) code on it..
Apparently older code is vulnerable too..

So.. everyone running AGS+'s in the core, beware.. *grin*