[c-nsp] Cisco Security Advisory: TCP State Manipulation Denial ofService Vulnerabilities in Multiple Cisco Products
Justin Shore
justin at justinshore.com
Wed Sep 9 17:21:50 EDT 2009
Antonio Soares wrote:
> Hello group,
>
> What actions are you taking ? What is the real risk ?
>
> http://www.cisco.com/warp/public/707/cisco-sa-20090908-tcp24.shtml
If I'm reading the notes correctly, to exploit the problem the attacker
must be able to complete a TCP 3-way handshake. That would imply that
the attackers packets can either get through iACLs or that there are no
ACLs in place. This will mainly affect those people with unsecured
TCP-based services such as telnet, SSH, RSH, SCP, HTTP, and HTTPS.
Routers providing WebVPN services are at risk and need to be upgraded to
fix the problem since disabling WebVPN is probably not an option. Other
TCP services like BGP and LDP shouldn't be affected unless one of your
configured neighbors is going to exploit the vulnerability. If you
can't trust your own equipment or your peers to not exploit
vulnerabilities on your equipment....
So the hundreds of thousands of "under-managed" IOS devices out there
that have the default config with TCP services like HTTP and telnet
enabled are going to suffer. All the more reason for Cisco to change
the default configuration to default to having all services disabled out
of the box. Make the admin turn on features themselves that compromise
their security. No reason to compromise their security for them.
Fixing this would require implementing security basics such as creating
a VTY ACL, creating a HTTP/HTTPS ACL or disabling it altogether if it's
not used, implementing CoPP, iACLs, etc. Usual stuff.
It looks like I'll be doing a round of upgrades in November. It's time
anyway.
Justin
More information about the cisco-nsp
mailing list