[c-nsp] Cisco Security Advisory: TCP State Manipulation Denial ofService Vulnerabilities in Multiple Cisco Products

Eloy Paris elparis at cisco.com
Thu Sep 10 09:22:04 EDT 2009


Hi Gert,

On Thu, Sep 10, 2009 at 02:16:17PM +0200, Gert Doering wrote:

> Hi,
> 
> On Thu, Sep 10, 2009 at 01:48:46PM +0200, Mark Meijerink wrote:
> > When your run the show tcp brief all command you also see the listening ports.
> > 
> > router#show tcp brief ?
> >   all  All end-points (even listeners)
> 
> Oh.  Cool.  For whatever reason, I overlooked this.
> 
> But anyway - my routers are lying to me.  They list *.179 just fine (BGP),
> but all the other interesting stuff (telnet, ssh, ldp) is not there...

In a Cisco Security Advisory that we published last year
(http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml), we
wrote the following:

'Different versions of Cisco IOS have different ways of verifying
whether the Cisco IOS device is listening for SIP messages. The "show ip
sockets", "show udp", "show tcp brief all", and "show control-plane host
open-ports" commands can be used to determine this, although not all of
these commands work on all IOS releases. Since it is not practical in
this document to provide a list of commands corresponding to the various
releases, users should try the aforementioned commands to determine
which ones work for their device.'

The problem is that historically we've had different internal APIs
that applications and services can use to register the ports they need
to open. I believe "show control-plane host open-ports" is the latest
incarnation and the desired way moving forward but not all applications
and services have migrated to it which is why we still rely on different
commands.

Cheers,

-- 

Eloy Paris
Cisco PSIRT


More information about the cisco-nsp mailing list