[c-nsp] Cisco Security Advisory: TCP State Manipulation Denial ofService Vulnerabilities in Multiple Cisco Products
Jared Mauch
jared at puck.nether.net
Mon Sep 14 09:52:36 EDT 2009
On Sep 13, 2009, at 10:28 PM, Kevin Graham wrote:
> Sorry for the late response, had to dig through some old cases...
>
>
>> But anyway - my routers are lying to me. They list *.179 just fine
>> (BGP),
>> but all the other interesting stuff (telnet, ssh, ldp) is not
>> there...
>
> Last dug into this 2.5y ago (while looking into PSIRT cisco-
> sa-20070131-sip)
> and the answer was:
>
> CSCdk86016
> Externally found moderate defect: Duplicate (D)
> Theres no way to see all listening ports
>
> CSCds10428
> Internally found moderate defect: Closed (C)
> Need netstat kind of support for IOS TCP/UDP
>
> It looks like after the business units analyzed everything they
> decided
> they were not going to move forward with this command.
>
> "Currently we have the show tcp brief all which gives the lists
> the
> TCB's in the listening state. Also the netstat command is more
> generic
> and applicable to UNIX. While it is desirable to have something
> like
> that, I don't see the exact benefits of the same."
>
> Hopefully the new feature Eloy referred to will be more broadly
> available;
> does anyone have the DDTS for its integration into 12.2S-derived
> trains?
Cisco does not manage software in a way that features and capabilities
go to every platform/release. Each platform runs its own release-ops
team, with the rare exception of 'mainline'. The platform specific
trains eg: S/SX etc pick up mainline features via bulk syncs of code.
I've been asking for this capability for years, there is no way this
is going to show up. Cisco does not have the fortitude to keep a
platform from shipping to pick up a central-eng/nsstg(itd) driven
cleanup. If something impairs the ability for cisco to recognize
revenue, such as security/PSIRT issues it's unlikely to stop things
from shipping.
ie: You need to ask your account team to prioritize these over you
actually buying a device. If it stops them from being able to sell
you routers, it will get fixed. If not, it's unlikely to have an
impact.
While you're at it, ask for protected memory in the software. It's
not like ram/flash are expensive these days...
- Jared
More information about the cisco-nsp
mailing list