[20556] in bugtraq
Re: Cisco HSRP Weakness/DoS
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Fri May 4 02:12:45 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID: <20010504025301.3D4857B7B@berkshire.research.att.com>
Date: Thu, 3 May 2001 22:53:01 -0400
Reply-To: smb@RESEARCH.ATT.COM
From: "Steven M. Bellovin" <smb@RESEARCH.ATT.COM>
X-To: bashis <bash@NS.WCD.SE>
To: BUGTRAQ@SECURITYFOCUS.COM
In message <200105031757.TAA05508@ns.wcd.se>, bashis writes:
>--%--multipart-mixed-boundary-1.5498.988912661--%
>Content-Type: text/plain; charset=us-ascii
>Content-Transfer-Encoding: 7bit
>
>Hi
>
>I was playing with Cisco's HSRP (Hot Standby Routing Protocol),
>and there is a (major) weakness in that protocol that allow
>any host in a LAN segment to make a HSRP DoS.
>
>Short (very) explain of HSRP.
>HSRP uses UDP on port 1985 to multicast address 224.0.0.2,
>and the authentication is in clear text. (default: cisco)
>
>I include a small program that sends out a fake HSRP packet,
>when it hear a legal HSRP packet, as a "proof of concept" code...
>
>Vendor was notified about this 14 April 2001,,
>and their response was to use HSRP with IPSec.
>http://www.cisco.com/networkers/nw00/pres/2402.pdf
>
Their response was precisely correct. Given the evils that can be done
with ARP-spoofing, this sort of misbehavior by someone already on the
LAN can't easily be prevented.
More generally, have a look at RFC 2338, on VRRP -- the Virtual Router
Redundancy Protocol. VRRP is the standards-track replacement for HSRP.
The Security Considerations section explains when to use each type of
authentication, up to and including IPsec.
Cisco's real mistake is in having a common default authentication word
-- not because it's a security failure, but because it can no longer
fulfill its function of guarding against configuration errors.
--Steve Bellovin, http://www.research.att.com/~smb
