[12723] in bugtraq

home help back first fref pref prev next nref lref last post

BindView Security Advisory: SSR Denial of Service

daemon@ATHENA.MIT.EDU (BindView Security Advisory)
Wed Nov 24 19:22:56 1999

Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id:  <000201bf36cd$7e5ec980$c4b04bcf@blake>
Date:         Wed, 24 Nov 1999 17:44:40 -0500
Reply-To: BindView Security Advisory <advisory+ssrdos@BOS.BINDVIEW.COM>
From: BindView Security Advisory <advisory+ssrdos@BOS.BINDVIEW.COM>
X-To:         bugtraq@securityfocus.com, ntbugtraq@ntbugtraq.com
To: BUGTRAQ@SECURITYFOCUS.COM

Bindview Security Advisory
--------

Cabletron SmartSwitch Router 8000 Firmware v2.x
Issue date: November 24, 1999
Contact: Scott Blake <blake@bos.bindview.com>

Topic:
Denial of Service Vulnerability in Cabletron's SmartSwitch Router (SSR)

Overview:
Cabletron's SSR is a Layers 2-4 routing and switching device with one of
the fastest switching architectures in the industry.  Attackers can cause
the SSR to stop handling any network traffic.

Affected Systems:
Bindview only confirms the vulnerability in the SSR 8000 running firmware
revision 2.x.  Due to the nature of the problem, other equipment may
be vulnerable, including other manufacturers' products.

Impact:
A malicious attacker can cause the SSR to stop functioning for as long
as the attacker can continue feeding packets to the device.

Details:
Cabletron indicates that the bottleneck appears to occur in the ARP handling
mechanism of the SSR.  The SSR appears to only be capable of handling ~200
ARP requests per second.  Thus, by initiating network traffic to more than
this critical number of IP addresses, an attacker can cause the router to
stop
functioning while the ARP handler is flooded.  In extreme cases, with input
rates only available on the local network, it may be possible to corrupt the
SSR's configuration with a sustained flood of new IP addresses.

The danger in this problem arises from the fact that many perimeter defenses
(firewalls) permit ICMP through, which means that remote, anonymous
attackers
may be able to crash the SSR.



Fix Information:

Upgrade your SSR firmware to version 3.x:
http://www.cabletron.com/download/download.cgi?lib=ssr

home help back first fref pref prev next nref lref last post