[c-nsp] Possible security issue with CDP

Hank Nussbacher hank at efes.iucc.ac.il
Thu Jun 26 23:42:27 EDT 2008 

On Thu, 26 Jun 2008, Aaron wrote:

No.  It was disabled per specific interfaces.  That interface had cdp 
turned off but changing from ppp to hdlc overrode the specific cdp command 
we had set on the interface.

-Hank

> Curious. Was CDP globally disabled? Don't want to make any assumptions.
>
> Aaron
>
> On Thu, Jun 26, 2008 at 12:12 PM, Hank Nussbacher <hank at efes.iucc.ac.il>
> wrote:
>
>> On Thu, 26 Jun 2008, Jared Mauch wrote:
>>
>> Of course.  This was opened with PSIRT (PSIRT-0642590629) on March 26 and
>> was discussed internally by them and I argued against their view but they
>> held their ground and the results were just concluded and I posted them here
>> so everyone can realize it.  They know I am posting to cisco-nsp as well.
>>
>> -Hank
>>
>>
>>         Have you contacted PSIRT regarding this issue?  It would seem
>>> to indicate a lack of proper security posture on part of the company
>>> to not view the secret enabling of a feature a problem.
>>>
>>>        - Jared
>>>
>>> On Thu, Jun 26, 2008 at 08:31:25AM +0300, Hank Nussbacher wrote:
>>>
>>>> Just wanted to alert people to a possible minor info leak in regards
>>>> to Cisco CDP.
>>>>
>>>> We had 'cdp off' on POS11/0/0 which is an STM-16 link. Now change the
>>>> encap from ppp to hdlc. Automagically, without notifying anyone, IOS
>>>> changes CDP to be on. Not a good thing when trying to maintain a secure
>>>> router.
>>>>
>>>> This behavior has been documented in CSCso40579 but has been marked
>>>> closed.
>>>>
>>>> CSCso59137 (sev=4) documents the behavior as working as designed. This
>>>> bugid will print a CDP status change message when such an event occurs.
>>>>
>>>> There have been security issues with CDP previously:
>>>> <
>>>> http://www.cisco.com/en/US/tech/tk962/technologies_security_notice09186a0080093ef0.html
>>>>>
>>>> so if you want your router to be secure, always double check your
>>>> settings since things might change without you knowing it.
>>>>
>>>> -Hank
>>>>
>>>> _______________________________________________
>>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>
>>>
>>> --
>>> Jared Mauch  | pgp key available via finger from jared at puck.nether.net
>>> clue++;      | http://puck.nether.net/~jared/<http://puck.nether.net/%7Ejared/> My statements are only mine.
>>>
>>>  _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>

More information about the cisco-nsp mailing list