[59762] in North American Network Operators' Group
Re: Cisco Vulnerability Testing Results
daemon@ATHENA.MIT.EDU (Jason Frisvold)
Fri Jul 18 16:46:37 2003
From: Jason Frisvold <friz@corp.ptd.net>
To: nanog@merit.edu
In-Reply-To: <1058542497.17752.89.camel@dhcp9-52.noc.corp.ptd.net>
Date: 18 Jul 2003 16:44:56 -0400
Errors-To: owner-nanog-outgoing@merit.edu
--=-G4b74CX1Z06Fv666aPd8
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
Just for fun we hit an old AGS+ router with 10.2(4) code on it..=20
Apparently older code is vulnerable too..
So.. everyone running AGS+'s in the core, beware.. *grin*
On Fri, 2003-07-18 at 11:34, Jason Frisvold wrote:
> Ok, update to my testing :
>=20
> On Fri, 2003-07-18 at 10:48, Jason Frisvold wrote:
> > Hi all,
> >=20
> > First post.. I hope this is ok ...
> >=20
> > We tested the Cisco vulnerability and I wanted to share our results
> > with you ...
> <SNIP>
> > Testing scenario is this :=20
> >=20
> > Linux Machine (10.0.0.2/24)
> > Cisco 2514=20
> > Ethernet0 (10.0.0.1/24) is in from the attacker=20
> > Ethernet1 (192.168.0.1/24) is output to the 2501=20
> > Cisco 2501=20
> > Ethernet0 (192.168.0.2/24) is in from the 2514=20
> <SNIP>
>=20
> Firstly, HPing (www.hping.org) can craft the packets required for this
> attack very simply... I won't post the exact command string, but it's
> not that hard to figure out... And with HPing, you can easily take down
> an interface in under a second.
>=20
> Now, on to ACL testing...
>=20
> 3 ACL tests just to make sure we had everything correct ... We first
> tried the any any ACL that Cisco recommends :
>=20
> access-list 101 deny 53 any any
> access-list 101 deny 55 any any
> access-list 101 deny 77 any any
> access-list 101 deny 103 any any
> access-list 101 permit ip any any
>=20
> This produced expected results. When placed on the interface, it
> prevented the router from being attacked.
>=20
> Next, we tried an ACL with just the interface IP in it :
>=20
> access-list 101 deny 53 any host 10.0.0.1
> access-list 101 deny 55 any host 10.0.0.1
> access-list 101 deny 77 any host 10.0.0.1
> access-list 101 deny 103 any host 10.0.0.1
> access-list 101 permit ip any any
>=20
> We applied this to the Ethernet0 interface on the 2514. Attacks to that
> IP were prevented as expected.
>=20
> Attacks through to the 2501 were not blocked, again as expected.
>=20
> And finally, attacks to the ethernet1 interface on the 2514, which
> passes through the ethernet0 interface, still caused the ethernet0
> interface to be attacked.
>=20
> And the last test was an ACL containing all of the IP's on the router:
>=20
> access-list 101 deny 53 any host 10.0.0.1
> access-list 101 deny 55 any host 10.0.0.1
> access-list 101 deny 77 any host 10.0.0.1
> access-list 101 deny 103 any host 10.0.0.1
> access-list 101 deny 53 any host 192.168.0.1
> access-list 101 deny 55 any host 192.168.0.1
> access-list 101 deny 77 any host 192.168.0.1
> access-list 101 deny 103 any host 192.168.0.1
> access-list 101 permit ip any any
>=20
> This blocked all attacks on the 2514 while still allowing attacks
> through to the 2501.. This is as expected.
>=20
> Also, another note. Loopback interfaces, while not vulnerable
> themselves, make it much easier to completely take out routers.. (We're
> assuming that the device is still vulnerable) If the attacker has the
> loopback of the router, they can run an attack at that interface. Every
> input interface will be attacked in succession. As each interface goes
> down and the traffic re-routed, the next interface will fall under
> attack.
>=20
> Just be sure to add the loopback IP as part of the ACL ... :)
--=20
---------------------------
Jason H. Frisvold
Backbone Engineering Supervisor
Penteledata Engineering
friz@corp.ptd.net
RedHat Engineer - RHCE # 807302349405893
Cisco Certified - CCNA # CSCO10151622
MySQL Core Certified - ID# 205982910
---------------------------
"Imagination is more important than knowledge.
Knowledge is limited. Imagination encircles
the world."
-- Albert Einstein [1879-1955]
--=-G4b74CX1Z06Fv666aPd8
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQA/GFxERsoFMdDaiQgRAn62AKDQO/E8l4O/dP0hwcfQUuMhMT4XAQCfdVt3
6VUehYuRw7AO6mhUhS0g4ZQ=
=klZb
-----END PGP SIGNATURE-----
--=-G4b74CX1Z06Fv666aPd8--
