Protecting inbound interfaces (re: Cisco exploit)

Mailman List Mirror (Read Only)
1

Is there a way to globally protect all inbound interfaces on a router via ACL
(specifically hundreds of frame/sub-interfaces) without applying the same ACL
to each individual interface?

Is the "line vty" config only for telnet/ssh, etc. or is it the magic global
that I'm looking for?

I'd post this on inet-access but this is where the conversation is taking
place.

Thanks,
Rick

2

Is there a way to globally protect all inbound interfaces on a router via ACL
(specifically hundreds of frame/sub-interfaces) without applying the same ACL
to each individual interface?

I believe something like this will work:

no access-l 198
access-list 198 deny 53 any any log-input
access-list 198 deny 55 any any log-input
access-list 198 deny 77 any any log-input
!
access-list 198 permit pim host xx.xx.xx.xx 224.0.0.0 31.255.255.255
!
access-list 198 deny pim any any log-input
access-list 198 permit ip any any
!
!end

replace xx.xx.xx.xx with real ip address if you have PIM running, if you
don't, remove that line.

Is the "line vty" config only for telnet/ssh, etc. or is it the magic global
that I'm looking for?

No. I don't think so.

-Basil @ CIFNet

3

Depends on the platform; if it is a Cisco GSR or 7500 (w/ sufficiently current IOS), you can look into using a Receive ACL (rACL). The Cisco advisory being sent around in the discussion of the latest vulnerability has a link to more info for Cisco rACLs

- Wayne

Rick Ernst wrote:

4

Is this true:

http://www.eweek.com/article2/0,3959,1196496,00.asp

**there is a working exploit for this vulnerability but that it has not been
released yet.**

5

Something was posted to the full-disclosure list. I havent tested it yet myself but someone else said it did work.

http://lists.netsys.com/pipermail/full-disclosure/2003-July/011421.html
http://lists.netsys.com/pipermail/full-disclosure/2003-July/011420.html

         ---Mike

6

<quote who="Ken Yeo">

Is this true:

http://www.eweek.com/article2/0,3959,1196496,00.asp

**there is a working exploit for this vulnerability but that it has not
been
released yet.**

No, it is not true. The exploit *has* been released:

http://www.netsys.com/cgi-bin/displaynews?a=611

http://lists.netsys.com/pipermail/full-disclosure/2003-July/011421.html
http://lists.netsys.com/pipermail/full-disclosure/2003-July/011420.html

-davidu