[nsp-sec] Looking glass s/w?

Sat Sep 27 03:12:35 EDT 2014

Sorry (kinda) to revive such an old thread but, I want to get the word out.

First, Hank, my MRLG will do "show ip bgp community xxxx" as well as "show
ip bgp regexp xxxx".

Next, and more specific to this particular email though is the fact that
there is a new version of MRLG that any users of MRLG should deploy.

I was contacted by Luca Bruno a couple of months ago regarding the
fastping.c utility that has been included with MRLG for the past 14 years.
It seems that it is vulnerable to a crafted attack that can cause remote
memory overwrite/corruption.  I was OCONUS with limited connectivity at the
time, in addition to being up to my eyeballs dealing with a Southeast Asia
network redesign.

The fastping.c utility was only used by MRLG in the outside chance that the
"router" in question was Zebra/Quagga.  Based on Google results, this was a
very minuscule minority of installations that utilize MRLG.

Last night, I had some downtime and was able to put together a (superior?)
replacement for fastping.c that utilizes the existing ping utility on the
MRLG host system while emulating the IOS ping facility.

I have released MRLG 5.5.0 as of Sat Sep 27 03:16:28 UTC 2014.  It is a
(nearly) drop-in replacement for all previous versions of MRLG that
addresses the issue that Luca Bruno and Mariano Graziano brought to light
in CVE-2014-3931. See: http://www.s3.eurecom.fr/cve/CVE-2014-3931.txt

The latest MRLG (5.5.0) is available at http://mrlg.op-sec.us/

I know that the details of this CVE was published at:
http://mailman.nanog.org/pipermail/nanog/2014-July/068014.html and
http://www.s3.eurecom.fr/lg/defcon_looking-glass.pdf
http://vrt-blog.snort.org/2014/09/looking-glasses-with-bacon.html
http://tools.cisco.com/security/center/viewAlert.x?alertId=35693
https://www.defcon.org/images/defcon-22/dc-22-presentations/Bruno-Graziano/DEFCON-22-Luca-Bruno-Mariano-Graziano-looking-glass-Updated.pdf
https://www.usenix.org/system/files/conference/woot14/woot14-bruno.pdf

There are likely many other locations at which CVE-2014-3931 is detailed.

I ask that the NSP-SEC community make it known - via whatever channels -
that this vulnerability has been addressed and mitigated and point folks to
http://mrlg.op-sec.us/ for the latest code.

Many thanks!

--
John Fraizer
ΥΣΜΧ

On Sun, Feb 10, 2013 at 5:36 PM, Nick Hilliard <nick at inex.ie> wrote:

> ----------- nsp-security Confidential --------
>
> On 10/02/2013 17:20, Hank Nussbacher wrote:
> > I am looking for a LG that can do
> > show ip bgp community xxxx
> > show ip bgp regexp xxxx
>
> http://wiki.version6.net/LG
>
> tip: the Net::SSH::Perl module doesn't understand cisco sshv2, so if you're
> plugging it into a cisco box then you will need to enable sshv1 on the box.
>
> It's a cow to install, but when it works it's very nice.
>
> Nick
>
>