[c-nsp] Cisco Security Advisory: TCP State Manipulation Denial ofService Vulnerabilities in Multiple Cisco Products

Jared Mauch jared at puck.nether.net
Mon Sep 14 09:52:36 EDT 2009 

On Sep 13, 2009, at 10:28 PM, Kevin Graham wrote:

> Sorry for the late response, had to dig through some old cases...
>
>
>> But anyway - my routers are lying to me.  They list *.179 just fine  
>> (BGP),
>> but all the other interesting stuff (telnet, ssh, ldp) is not  
>> there...
>
> Last dug into this 2.5y ago (while looking into PSIRT cisco- 
> sa-20070131-sip)
> and the answer was:
>
>     CSCdk86016
>     Externally found moderate defect: Duplicate (D)
>     Theres no way to see all listening ports
>
>     CSCds10428
>     Internally found moderate defect: Closed (C)
>     Need netstat kind of support for IOS TCP/UDP
>
>     It looks like after the business units analyzed everything they  
> decided
>     they were not going to move forward with this command.
>
>     "Currently we have the show tcp brief all which gives the lists  
> the
>     TCB's in the listening state. Also the netstat command is more  
> generic
>     and applicable to UNIX.  While it is desirable to have something  
> like
>     that, I don't see the exact benefits of the same."
>
> Hopefully the new feature Eloy referred to will be more broadly  
> available;
> does anyone have the DDTS for its integration into 12.2S-derived  
> trains?

Cisco does not manage software in a way that features and capabilities  
go to every platform/release.  Each platform runs its own release-ops  
team, with the rare exception of 'mainline'.  The platform specific  
trains eg: S/SX etc pick up mainline features via bulk syncs of code.

I've been asking for this capability for years, there is no way this  
is going to show up.  Cisco does not have the fortitude to keep a  
platform from shipping to pick up a central-eng/nsstg(itd) driven  
cleanup.  If something impairs the ability for cisco to recognize  
revenue, such as security/PSIRT issues it's unlikely to stop things  
from shipping.

ie: You need to ask your account team to prioritize these over you  
actually buying a device.  If it stops them from being able to sell  
you routers, it will get fixed.  If not, it's unlikely to have an  
impact.

While you're at it, ask for protected memory in the software.  It's  
not like ram/flash are expensive these days...

- Jared

More information about the cisco-nsp mailing list