[c-nsp] Cisco Security Advisory: TCP State Manipulation Denial ofService Vulnerabilities in Multiple Cisco Products

Justin Shore justin at justinshore.com
Wed Sep 9 17:21:50 EDT 2009


Antonio Soares wrote:
> Hello group,
> 
> What actions are you taking ? What is the real risk ?
> 
> http://www.cisco.com/warp/public/707/cisco-sa-20090908-tcp24.shtml

If I'm reading the notes correctly, to exploit the problem the attacker 
must be able to complete a TCP 3-way handshake.  That would imply that 
the attackers packets can either get through iACLs or that there are no 
ACLs in place.  This will mainly affect those people with unsecured 
TCP-based services such as telnet, SSH, RSH, SCP, HTTP, and HTTPS. 
Routers providing WebVPN services are at risk and need to be upgraded to 
fix the problem since disabling WebVPN is probably not an option.  Other 
TCP services like BGP and LDP shouldn't be affected unless one of your 
configured neighbors is going to exploit the vulnerability.  If you 
can't trust your own equipment or your peers to not exploit 
vulnerabilities on your equipment....

So the hundreds of thousands of "under-managed" IOS devices out there 
that have the default config with TCP services like HTTP and telnet 
enabled are going to suffer.  All the more reason for Cisco to change 
the default configuration to default to having all services disabled out 
of the box.  Make the admin turn on features themselves that compromise 
their security.  No reason to compromise their security for them.

Fixing this would require implementing security basics such as creating 
a VTY ACL, creating a HTTP/HTTPS ACL or disabling it altogether if it's 
not used, implementing CoPP, iACLs, etc.  Usual stuff.

It looks like I'll be doing a round of upgrades in November.  It's time 
anyway.

Justin


More information about the cisco-nsp mailing list