New Cisco Vulnerability

Gregory_Hicks · July 16, 2003, 7:50pm

From: "Vincent J. Bono" <vbono@vinny.org>
Date: Wed, 16 Jul 2003 15:17:54 -0400

Hello All,

There seem to be rumors going around that there is a new major Cisco
vulnerability but only the major backbones are being given fixes
right now.

Not 100% true... Anyone with a Catalyst 4000/5000/6000 can get it -
free. See this URL for details.

Something about packets malformed in a certain manner cause the
router to wedge.

True.

Regards,
Gregory Hicks

jpayne · July 16, 2003, 8:06pm

Different vulnerability from what I hear.

Jay_Hennigan · July 16, 2003, 8:18pm

I'm hearing similar rumors, and Genuity has a "planned emergency
maintenance" tomorrow morning, and there's some major weirdness with
our AT&T feed over the past half hour.

The rumored vulnerability is IOS, not CatOS and supposedly causes a reload,
not a telnet DoS.

David_Raistrick2 · July 16, 2003, 8:29pm

I'm hearing similar rumors, and Genuity has a "planned emergency
maintenance" tomorrow morning, and there's some major weirdness with
our AT&T feed over the past half hour.

This might explain the (very!) high number of maintenance alerts from
QWest this week, as well....

Petri_Helenius · July 16, 2003, 9:05pm

> I'm hearing similar rumors, and Genuity has a "planned emergency
> maintenance" tomorrow morning, and there's some major weirdness with
> our AT&T feed over the past half hour.

This might explain the (very!) high number of maintenance alerts from
QWest this week, as well....

Sprint, L3 and Cogent also announced a series of emergency maintenances.

Pete

Eric2 · July 16, 2003, 9:11pm

> This might explain the (very!) high number of maintenance alerts from
> QWest this week, as well....
>
Sprint, L3 and Cogent also announced a series of emergency maintenances.

Ok, fine, don't tell the rest of use what it is, how to detect it, or how
to defend against it. We in the university space will just do nothing because
we have nothing to put into our IDS sensors to watch for/block it out.
Because, you know, we're going to be the sources

Eri c:)

Michael_Sinatra · July 16, 2003, 10:51pm

And then we'll hear all of the usual flak about how universities are
unprepared to handle security problems...

I would just like to hear if there is a publicly available fix yet.
If the backbone carriers have already scheduled their work, then they
likely have a fix in hand. If the fix isn't available, then a rough
schedule would be good so we can plan.

I'd like to understand the vulnerability, but I'd certainly be okay with
cisco saying "psst. put this version of IOS on your boxes. don't ask us
why just yet. we'll explain more later."

Or, maybe they WANT *our* routers to kick over so that we can't source the
attack...

michael