[c-nsp] Cisco Security Advisory: TCP State Manipulation Denial ofService Vulnerabilities in Multiple Cisco Products

Gert Doering gert at greenie.muc.de
Wed Sep 9 16:38:21 EDT 2009


On Wed, Sep 09, 2009 at 06:52:04PM +0100, Antonio Soares wrote:
> What actions are you taking ? What is the real risk ?
> http://www.cisco.com/warp/public/707/cisco-sa-20090908-tcp24.shtml

"scream, wave your arms, run around in circles"...

Seriously: I'm not exactly sure what the actual impact is.

What we're going to do is:

 - identify what parts of IOS use TCP (telnet, ssh, rsh, bgp, ldp, 
   http/s, ftp, others?)

   (for some weird reason, "show ip sockets" only shows UDP sockets on
   our boxes, and "show tcp brief" only shows ESTABLISHED TCP sessions
   - how can I see what TCP LISTEN sockets are there??)

 - find out what the impact is on each ("fill all available slots, lock
   out legitimate admins" or "fill all available memory, killing the box")

 - find out how to mitigate
    - telnet/ssh -> vty ACLs
    - rsh -> recent IOSes send RST to unknown peers
    - bgp -> takes care of itself (doesn't talk to unknown peers)
    - http/https -> turn off
    - ldp -> ??
    - ftp -> ??
    - generic -> receive ACLs ("if the platform happens to support it"),
                 infrastructure ACLs ("not always effective in catching
                 all possible IP addresses that a box with many customer
                 /30 or /29s might have")

USENET is *not* the non-clickable part of WWW!
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090909/2fb57fcd/attachment.bin>

More information about the cisco-nsp mailing list