Friday, September 26, 2008

Cisco Vulnerablity

Hi All

We were facing a problem on 18th September and one of my friend Sanjay checked with the help of sanity and found the results given

Buffer information for Small buffer at 0xD809340

  data_area 0x789AD184, refcount 0, next 0xD13D8B8, flags 0x0

  linktype 0 (None), enctype 0 (None), encsize 14, rxtype 1

  if_input 0x0 (None), if_output 0x0 (None)

  inputtime 1d09h (elapsed 00:00:00.320)

  outputtime 1d09h (elapsed 00:00:18.580), oqnumber 65535

  datagramstart 0x789AD1CA, datagramsize 62, maximum size 260

  mac_start 0x789AD1CA, addr_start 0x789AD1CA, info_start 0x0

  network_start 0x789AD1D8, transport_start 0x789AD1EC, caller_pc 0x29596C

Code that exploits a recently revealed flaw in Cisco's router operation system is publicly available, so now it's up to network administrators to patch their systems or face attack.

There have been isolated reports over the weekend of attackers trying to exploit the vulnerability, which is in Cisco's network operating system, IOS, when processing IP version 4 (IPv4) packets. More than 100 of Cisco's products are susceptible including routers and switches.

ISPs are taking the flaw seriously and are patching their systems. "We have not seen the huge blackouts that would have occurred if they hadn't started to address the issue," said Dave Cole, director of products at Foundstone Inc., Mission Viejo, Calif. "The urgency to patch systems has certainly increased because the exploit is now available."

The Computer Emergency Response Team at Carnegie Mellon University in Pittsburgh has issued an advisory because the exploit code was posted to some Internet mailing lists. Symantec and Internet Security Systems have both raised their threat levels for the vulnerability because of the code's release.

In general, the release of exploit code increases the danger of vulnerabilities as it allows people with limited technical savvy to take advantage of the flaws. Instead of having to write the precise packets needed to attack the flaw, a would-be attacker would only have to cut and paste the information from the Internet. In the case of the Cisco vulnerability, exploiting it would trigger a denial-of-service attack that could shut down Web sites and network access points.

Exploiting the vulnerability requires sending some specially crafted IPv4 packets to affected systems. The packets would trick the systems into thinking they are full. The routers and switches would then stop processing traffic, which would render Web servers and other network-dependent systems inaccessible.

The release of the exploit code wasn't surprising given the fact that advisories give would-be attackers the information they need to create the code, Cole said. "The real question is whether people would have enough time to perform upgrades to their systems."

After that he informed to the cert and on 24th september we found the same bug on cisco which is affecting the given IOS.

The vulnerability affects Cisco IOS-based routers and switches running 11.x thru 12.2.x. IOS version 12.3 and a number of 12.1 and 12.2 rebuilds are not affected



People who read this post also read :

1 comment:

MPLSVPN said...

As per sanjay analysis in our network this attack happened on prot 47 and prot 115 GRE and L2TPV3 , which basically sending any TTL value and finishing the input queues , so traffic flow stops . Which process occupied the buffer not releasing.


Buffer information for Big buffer at 0x67F2D70
data_area 0x7851B804, refcount 1, next 0xFBD47A0, flags 0x200
linktype 7 (IP), enctype 0 (None), encsize 18, rxtype 1
if_input 0x6556BB4 (GigabitEthernet0/3), if_output 0x0 (None)
inputtime 3d19h (elapsed 00:00:00.008)
outputtime 3d19h (elapsed 00:00:17.832), oqnumber 65535
datagramstart 0x7851B858, datagramsize 1492, maximum size 1692
mac_start 0x7851B846, addr_start 0x7851B846, info_start 0x0
network_start 0x7851B858, transport_start 0x7851B854, caller_pc 0x297608

source: xx.xx.xx.xx, destination: xx.xx.xx.xx, id: 0xD411, ttl: 255, prot: 47

Buffer information for Small buffer at 0xDDCAC6C
data_area 0x78562964, refcount 1, next 0x0, flags 0x200
linktype 7 (IP), enctype 0 (None), encsize 14, rxtype 1
if_input 0x6556BB4 (GigabitEthernet0/3), if_output 0x0 (None)
inputtime 3d19h (elapsed 00:00:00.004)
outputtime 3d19h (elapsed 00:00:12.820), oqnumber 65535
datagramstart 0x785629B8, datagramsize 58, maximum size 260
mac_start 0x785629AA, addr_start 0x785629AA, info_start 0x0
network_start 0x785629B8, transport_start 0x785629CC, caller_pc 0x297608

source: x.xx.xx.xx, destination: xx.xx.xx.xx, id: 0xF604, ttl: 254, prot: 115